diff options
Diffstat (limited to 'sys/security')
27 files changed, 3324 insertions, 3241 deletions
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index fa037ab..f9865f5 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -114,7 +114,7 @@ audit(struct thread *td, struct audit_args *uap) } #ifdef MAC - error = mac_check_system_audit(td->td_ucred, rec, uap->length); + error = mac_system_check_audit(td->td_ucred, rec, uap->length); if (error) goto free_out; #endif @@ -166,7 +166,7 @@ auditon(struct thread *td, struct auditon_args *uap) AUDIT_ARG(cmd, uap->cmd); #ifdef MAC - error = mac_check_system_auditon(td->td_ucred, uap->cmd); + error = mac_system_check_auditon(td->td_ucred, uap->cmd); if (error) return (error); #endif @@ -470,7 +470,7 @@ setauid(struct thread *td, struct setauid_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setauid(oldcred, id); + error = mac_proc_check_setauid(oldcred, id); if (error) goto fail; #endif @@ -533,7 +533,7 @@ setaudit(struct thread *td, struct setaudit_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setaudit(oldcred, &ai); + error = mac_proc_check_setaudit(oldcred, &ai); if (error) goto fail; #endif @@ -596,7 +596,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setaudit_addr(oldcred, &aia); + error = mac_proc_check_setaudit_addr(oldcred, &aia); if (error) goto fail; #endif @@ -655,7 +655,7 @@ auditctl(struct thread *td, struct auditctl_args *uap) vfslocked = NDHASGIANT(&nd); vp = nd.ni_vp; #ifdef MAC - error = mac_check_system_auditctl(td->td_ucred, vp); + error = mac_system_check_auditctl(td->td_ucred, vp); VOP_UNLOCK(vp, 0, td); if (error) { vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td); diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c index 69731c7..d8cd8e6 100644 --- a/sys/security/mac/mac_audit.c +++ b/sys/security/mac/mac_audit.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. @@ -11,6 +12,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -46,66 +50,66 @@ #include <security/mac/mac_policy.h> int -mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { int error; - MAC_CHECK(check_proc_setaudit, cred, ai); + MAC_CHECK(proc_check_setaudit, cred, ai); return (error); } int -mac_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { int error; - MAC_CHECK(check_proc_setaudit_addr, cred, aia); + MAC_CHECK(proc_check_setaudit_addr, cred, aia); return (error); } int -mac_check_proc_setauid(struct ucred *cred, uid_t auid) +mac_proc_check_setauid(struct ucred *cred, uid_t auid) { int error; - MAC_CHECK(check_proc_setauid, cred, auid); + MAC_CHECK(proc_check_setauid, cred, auid); return (error); } int -mac_check_system_audit(struct ucred *cred, void *record, int length) +mac_system_check_audit(struct ucred *cred, void *record, int length) { int error; - MAC_CHECK(check_system_audit, cred, record, length); + MAC_CHECK(system_check_audit, cred, record, length); return (error); } int -mac_check_system_auditctl(struct ucred *cred, struct vnode *vp) +mac_system_check_auditctl(struct ucred *cred, struct vnode *vp) { int error; struct label *vl; - ASSERT_VOP_LOCKED(vp, "mac_check_system_auditctl"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl"); vl = (vp != NULL) ? vp->v_label : NULL; - MAC_CHECK(check_system_auditctl, cred, vp, vl); + MAC_CHECK(system_check_auditctl, cred, vp, vl); return (error); } int -mac_check_system_auditon(struct ucred *cred, int cmd) +mac_system_check_auditon(struct ucred *cred, int cmd) { int error; - MAC_CHECK(check_system_auditon, cred, cmd); + MAC_CHECK(system_check_auditon, cred, cmd); return (error); } diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index d9ede98..a00b90f 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -90,44 +90,44 @@ struct vop_setlabel_args; /* * Kernel functions to manage and evaluate labels. */ -void mac_init_bpfdesc(struct bpf_d *); -void mac_init_cred(struct ucred *); -void mac_init_devfs(struct devfs_dirent *); -void mac_init_ifnet(struct ifnet *); -int mac_init_inpcb(struct inpcb *, int); -void mac_init_sysv_msgmsg(struct msg *); -void mac_init_sysv_msgqueue(struct msqid_kernel *); -void mac_init_sysv_sem(struct semid_kernel *); -void mac_init_sysv_shm(struct shmid_kernel *); -int mac_init_ipq(struct ipq *, int); -int mac_init_socket(struct socket *, int); -void mac_init_pipe(struct pipepair *); -void mac_init_posix_sem(struct ksem *); -int mac_init_mbuf(struct mbuf *, int); -int mac_init_mbuf_tag(struct m_tag *, int); -void mac_init_mount(struct mount *); -void mac_init_proc(struct proc *); -void mac_init_vnode(struct vnode *); -void mac_copy_mbuf(struct mbuf *, struct mbuf *); -void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); -void mac_copy_vnode_label(struct label *, struct label *); -void mac_destroy_bpfdesc(struct bpf_d *); -void mac_destroy_cred(struct ucred *); -void mac_destroy_devfs(struct devfs_dirent *); -void mac_destroy_ifnet(struct ifnet *); -void mac_destroy_inpcb(struct inpcb *); -void mac_destroy_sysv_msgmsg(struct msg *); -void mac_destroy_sysv_msgqueue(struct msqid_kernel *); -void mac_destroy_sysv_sem(struct semid_kernel *); -void mac_destroy_sysv_shm(struct shmid_kernel *); -void mac_destroy_ipq(struct ipq *); -void mac_destroy_socket(struct socket *); -void mac_destroy_pipe(struct pipepair *); -void mac_destroy_posix_sem(struct ksem *); -void mac_destroy_proc(struct proc *); -void mac_destroy_mbuf_tag(struct m_tag *); -void mac_destroy_mount(struct mount *); -void mac_destroy_vnode(struct vnode *); +void mac_bpfdesc_init(struct bpf_d *); +void mac_cred_init(struct ucred *); +void mac_devfs_init(struct devfs_dirent *); +void mac_ifnet_init(struct ifnet *); +int mac_inpcb_init(struct inpcb *, int); +void mac_sysvmsg_init(struct msg *); +void mac_sysvmsq_init(struct msqid_kernel *); +void mac_sysvsem_init(struct semid_kernel *); +void mac_sysvshm_init(struct shmid_kernel *); +int mac_ipq_init(struct ipq *, int); +int mac_socket_init(struct socket *, int); +void mac_pipe_init(struct pipepair *); +void mac_posixsem_init(struct ksem *); +int mac_mbuf_init(struct mbuf *, int); +int mac_mbuf_tag_init(struct m_tag *, int); +void mac_mount_init(struct mount *); +void mac_proc_init(struct proc *); +void mac_vnode_init(struct vnode *); +void mac_mbuf_copy(struct mbuf *, struct mbuf *); +void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); +void mac_vnode_copy_label(struct label *, struct label *); +void mac_bpfdesc_destroy(struct bpf_d *); +void mac_cred_destroy(struct ucred *); +void mac_devfs_destroy(struct devfs_dirent *); +void mac_ifnet_destroy(struct ifnet *); +void mac_inpcb_destroy(struct inpcb *); +void mac_sysvmsg_destroy(struct msg *); +void mac_sysvmsq_destroy(struct msqid_kernel *); +void mac_sysvsem_destroy(struct semid_kernel *); +void mac_sysvshm_destroy(struct shmid_kernel *); +void mac_ipq_destroy(struct ipq *); +void mac_socket_destroy(struct socket *); +void mac_pipe_destroy(struct pipepair *); +void mac_posixsem_destroy(struct ksem *); +void mac_proc_destroy(struct proc *); +void mac_mbuf_tag_destroy(struct m_tag *); +void mac_mount_destroy(struct mount *); +void mac_vnode_destroy(struct vnode *); struct label *mac_cred_label_alloc(void); void mac_cred_label_free(struct label *); @@ -138,75 +138,73 @@ void mac_vnode_label_free(struct label *); * Labeling event operations: file system objects, and things that look a lot * like file system objects. */ -void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, +void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); -int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); -void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); -void mac_create_devfs_device(struct ucred *cred, struct mount *mp, +int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); +void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); +void mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de); -void mac_create_devfs_directory(struct mount *mp, char *dirname, +void mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de); -void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de); -int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -void mac_create_mount(struct ucred *cred, struct mount *mp); -void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, +void mac_mount_create(struct ucred *cred, struct mount *mp); +void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel); -void mac_update_devfs(struct mount *mp, struct devfs_dirent *de, +void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); /* * Labeling event operations: IPC objects. */ -void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); -void mac_create_socket(struct ucred *cred, struct socket *so); -void mac_create_socket_from_socket(struct socket *oldso, +void mac_socket_create_mbuf(struct socket *so, struct mbuf *m); +void mac_socket_create(struct ucred *cred, struct socket *so); +void mac_socket_newconn(struct socket *oldso, struct socket *newso); +void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); +void mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso); -void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so); -void mac_set_socket_peer_from_socket(struct socket *oldso, - struct socket *newso); -void mac_create_pipe(struct ucred *cred, struct pipepair *pp); +void mac_pipe_create(struct ucred *cred, struct pipepair *pp); /* * Labeling event operations: System V IPC primitives */ -void mac_create_sysv_msgmsg(struct ucred *cred, - struct msqid_kernel *msqkptr, struct msg *msgptr); -void mac_create_sysv_msgqueue(struct ucred *cred, - struct msqid_kernel *msqkptr); -void mac_create_sysv_sem(struct ucred *cred, +void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, + struct msg *msgptr); +void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr); +void mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr); -void mac_create_sysv_shm(struct ucred *cred, +void mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr); /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ -void mac_create_posix_sem(struct ucred *cred, struct ksem *ks); +void mac_posixsem_create(struct ucred *cred, struct ksem *ks); /* * Labeling event operations: network objects. */ -void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d); -void mac_create_ifnet(struct ifnet *ifp); -void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); -void mac_create_ipq(struct mbuf *m, struct ipq *ipq); -void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m); -void mac_create_fragment(struct mbuf *m, struct mbuf *frag); -void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); +void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d); +void mac_ifnet_create(struct ifnet *ifp); +void mac_inpcb_create(struct socket *so, struct inpcb *inp); +void mac_ipq_create(struct mbuf *m, struct ipq *ipq); +void mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m); +void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); +void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m); -void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m); -void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m); -void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, +void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); +void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m); +void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew); -void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew); -int mac_fragment_match(struct mbuf *m, struct ipq *ipq); -void mac_reflect_mbuf_icmp(struct mbuf *m); -void mac_reflect_mbuf_tcp(struct mbuf *m); -void mac_update_ipq(struct mbuf *m, struct ipq *ipq); +void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew); +int mac_ipq_match(struct mbuf *m, struct ipq *ipq); +void mac_netinet_icmp_reply(struct mbuf *m); +void mac_netinet_tcp_reply(struct mbuf *m); +void mac_ipq_update(struct mbuf *m, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); -void mac_create_mbuf_from_firewall(struct mbuf *m); +void mac_mbuf_create_from_firewall(struct mbuf *m); void mac_destroy_syncache(struct label **l); int mac_init_syncache(struct label **l); void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp); @@ -215,16 +213,17 @@ void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m); /* * Labeling event operations: processes. */ -void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); +void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); -void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred, +void mac_vnode_execve_transition(struct ucred *oldcred, + struct ucred *newcred, struct vnode *vp, + struct label *interpvnodelabel, struct image_params *imgp); +int mac_vnode_execve_will_transition(struct ucred *cred, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp); -int mac_execve_will_transition(struct ucred *cred, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp); -void mac_create_proc0(struct ucred *cred); -void mac_create_proc1(struct ucred *cred); +void mac_proc_create_swapper(struct ucred *cred); +void mac_proc_create_init(struct ucred *cred); void mac_thread_userret(struct thread *td); /* @@ -238,177 +237,177 @@ void mac_thread_userret(struct thread *td); * XXXRW: These object methods are inconsistent with the life cycles of other * objects, and likely should be revised to be more consistent. */ -void mac_cleanup_sysv_msgmsg(struct msg *msgptr); -void mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr); -void mac_cleanup_sysv_sem(struct semid_kernel *semakptr); -void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); +void mac_sysvmsg_cleanup(struct msg *msgptr); +void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr); +void mac_sysvsem_cleanup(struct semid_kernel *semakptr); +void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr); /* * Access control checks. */ -int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp); -int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2); -int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m); -int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); -int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp); +int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); +int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m); +int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); +int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr); -int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msqget(struct ucred *cred, +int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqsnd(struct ucred *cred, +int mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqrcv(struct ucred *cred, +int mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqctl(struct ucred *cred, +int mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd); -int mac_check_sysv_semctl(struct ucred *cred, +int mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd); -int mac_check_sysv_semget(struct ucred *cred, +int mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr); -int mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr, - size_t accesstype); -int mac_check_sysv_shmat(struct ucred *cred, +int mac_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, size_t accesstype); +int mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_sysv_shmctl(struct ucred *cred, +int mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd); -int mac_check_sysv_shmdt(struct ucred *cred, +int mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr); -int mac_check_sysv_shmget(struct ucred *cred, +int mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_kenv_dump(struct ucred *cred); -int mac_check_kenv_get(struct ucred *cred, char *name); -int mac_check_kenv_set(struct ucred *cred, char *name, char *value); -int mac_check_kenv_unset(struct ucred *cred, char *name); -int mac_check_kld_load(struct ucred *cred, struct vnode *vp); -int mac_check_kld_stat(struct ucred *cred); -int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +int mac_kenv_check_dump(struct ucred *cred); +int mac_kenv_check_get(struct ucred *cred, char *name); +int mac_kenv_check_set(struct ucred *cred, char *name, char *value); +int mac_kenv_check_unset(struct ucred *cred, char *name); +int mac_kld_check_load(struct ucred *cred, struct vnode *vp); +int mac_kld_check_stat(struct ucred *cred); +int mac_mount_check_stat(struct ucred *cred, struct mount *mp); +int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); -int mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_read(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); -int mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ks); -int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks); -int mac_check_proc_debug(struct ucred *cred, struct proc *p); -int mac_check_proc_sched(struct ucred *cred, struct proc *p); -int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); -int mac_check_proc_setaudit_addr(struct ucred *cred, +int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); +int mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_getvalue(struct ucred *cred,struct ksem *ks); +int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_post(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks); +int mac_proc_check_debug(struct ucred *cred, struct proc *p); +int mac_proc_check_sched(struct ucred *cred, struct proc *p); +int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); +int mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia); -int mac_check_proc_setauid(struct ucred *cred, uid_t auid); -int mac_check_proc_setuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setauid(struct ucred *cred, uid_t auid); +int mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid); -int mac_check_proc_seteuid(struct proc *p, struct ucred *cred, +int mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid); -int mac_check_proc_setgid(struct proc *p, struct ucred *cred, +int mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid); -int mac_check_proc_setegid(struct proc *p, struct ucred *cred, +int mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid); -int mac_check_proc_setgroups(struct proc *p, struct ucred *cred, +int mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset); -int mac_check_proc_setreuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid); -int mac_check_proc_setregid(struct proc *p, struct ucred *cred, +int mac_proc_check_setregid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid); -int mac_check_proc_setresuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); -int mac_check_proc_setresgid(struct proc *p, struct ucred *cred, +int mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); -int mac_check_proc_signal(struct ucred *cred, struct proc *p, +int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); -int mac_check_proc_wait(struct ucred *cred, struct proc *p); -int mac_check_socket_accept(struct ucred *cred, struct socket *so); -int mac_check_socket_bind(struct ucred *cred, struct socket *so, +int mac_proc_check_wait(struct ucred *cred, struct proc *p); +int mac_socket_check_accept(struct ucred *cred, struct socket *so); +int mac_socket_check_bind(struct ucred *cred, struct socket *so, struct sockaddr *sa); -int mac_check_socket_connect(struct ucred *cred, struct socket *so, +int mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa); -int mac_check_socket_create(struct ucred *cred, int domain, int type, +int mac_socket_check_create(struct ucred *cred, int domain, int type, int proto); -int mac_check_socket_deliver(struct socket *so, struct mbuf *m); -int mac_check_socket_listen(struct ucred *cred, struct socket *so); -int mac_check_socket_poll(struct ucred *cred, struct socket *so); -int mac_check_socket_receive(struct ucred *cred, struct socket *so); -int mac_check_socket_send(struct ucred *cred, struct socket *so); -int mac_check_socket_stat(struct ucred *cred, struct socket *so); -int mac_check_socket_visible(struct ucred *cred, struct socket *so); -int mac_check_system_acct(struct ucred *cred, struct vnode *vp); -int mac_check_system_audit(struct ucred *cred, void *record, int length); -int mac_check_system_auditctl(struct ucred *cred, struct vnode *vp); -int mac_check_system_auditon(struct ucred *cred, int cmd); -int mac_check_system_reboot(struct ucred *cred, int howto); -int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); -int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); -int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +int mac_socket_check_deliver(struct socket *so, struct mbuf *m); +int mac_socket_check_listen(struct ucred *cred, struct socket *so); +int mac_socket_check_poll(struct ucred *cred, struct socket *so); +int mac_socket_check_receive(struct ucred *cred, struct socket *so); +int mac_socket_check_send(struct ucred *cred, struct socket *so); +int mac_socket_check_stat(struct ucred *cred, struct socket *so); +int mac_socket_check_visible(struct ucred *cred, struct socket *so); +int mac_system_check_acct(struct ucred *cred, struct vnode *vp); +int mac_system_check_audit(struct ucred *cred, void *record, int length); +int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); +int mac_system_check_auditon(struct ucred *cred, int cmd); +int mac_system_check_reboot(struct ucred *cred, int howto); +int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); +int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); +int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); -int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode); -int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); -int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp); -int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); +int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); +int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap); -int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); -int mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name); -int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp); -int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); -int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); -int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace); -int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot, +int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags); -int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot); -int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode); -int mac_check_vnode_poll(struct ucred *active_cred, +int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_read(struct ucred *active_cred, +int mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); -int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); -int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); -int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags); -int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode); -int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid); -int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); -int mac_check_vnode_stat(struct ucred *active_cred, +int mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_write(struct ucred *active_cred, +int mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); int mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, struct mac *extmac); -int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, +int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); -int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, +int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 7704d73..001be116 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -74,9 +78,9 @@ mac_inpcb_label_alloc(int flag) label = mac_labelzone_alloc(flag); if (label == NULL) return (NULL); - MAC_CHECK(init_inpcb_label, label, flag); + MAC_CHECK(inpcb_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_inpcb_label, label); + MAC_PERFORM(inpcb_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -84,7 +88,7 @@ mac_inpcb_label_alloc(int flag) } int -mac_init_inpcb(struct inpcb *inp, int flag) +mac_inpcb_init(struct inpcb *inp, int flag) { inp->inp_label = mac_inpcb_label_alloc(flag); @@ -103,9 +107,9 @@ mac_ipq_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_ipq_label, label, flag); + MAC_CHECK(ipq_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_ipq_label, label); + MAC_PERFORM(ipq_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -113,7 +117,7 @@ mac_ipq_label_alloc(int flag) } int -mac_init_ipq(struct ipq *ipq, int flag) +mac_ipq_init(struct ipq *ipq, int flag) { ipq->ipq_label = mac_ipq_label_alloc(flag); @@ -126,12 +130,12 @@ static void mac_inpcb_label_free(struct label *label) { - MAC_PERFORM(destroy_inpcb_label, label); + MAC_PERFORM(inpcb_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_inpcb(struct inpcb *inp) +mac_inpcb_destroy(struct inpcb *inp) { mac_inpcb_label_free(inp->inp_label); @@ -142,12 +146,12 @@ static void mac_ipq_label_free(struct label *label) { - MAC_PERFORM(destroy_ipq_label, label); + MAC_PERFORM(ipq_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_ipq(struct ipq *ipq) +mac_ipq_destroy(struct ipq *ipq) { mac_ipq_label_free(ipq->ipq_label); @@ -155,57 +159,56 @@ mac_destroy_ipq(struct ipq *ipq) } void -mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) +mac_inpcb_create(struct socket *so, struct inpcb *inp) { - MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, - inp->inp_label); + MAC_PERFORM(inpcb_create, so, so->so_label, inp, inp->inp_label); } void -mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m) +mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label); + MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, m, label); } void -mac_create_fragment(struct mbuf *m, struct mbuf *frag) +mac_netinet_fragment(struct mbuf *m, struct mbuf *frag) { struct label *mlabel, *fraglabel; mlabel = mac_mbuf_to_label(m); fraglabel = mac_mbuf_to_label(frag); - MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel); + MAC_PERFORM(netinet_fragment, m, mlabel, frag, fraglabel); } void -mac_create_ipq(struct mbuf *m, struct ipq *ipq) +mac_ipq_create(struct mbuf *m, struct ipq *ipq) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label); + MAC_PERFORM(ipq_create, m, label, ipq, ipq->ipq_label); } void -mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m) +mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m) { struct label *mlabel; INP_LOCK_ASSERT(inp); mlabel = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel); + MAC_PERFORM(inpcb_create_mbuf, inp, inp->inp_label, m, mlabel); } int -mac_fragment_match(struct mbuf *m, struct ipq *ipq) +mac_ipq_match(struct mbuf *m, struct ipq *ipq) { struct label *label; int result; @@ -213,43 +216,43 @@ mac_fragment_match(struct mbuf *m, struct ipq *ipq) label = mac_mbuf_to_label(m); result = 1; - MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label); + MAC_BOOLEAN(ipq_match, &&, m, label, ipq, ipq->ipq_label); return (result); } void -mac_reflect_mbuf_icmp(struct mbuf *m) +mac_netinet_icmp_reply(struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(reflect_mbuf_icmp, m, label); + MAC_PERFORM(netinet_icmp_reply, m, label); } void -mac_reflect_mbuf_tcp(struct mbuf *m) +mac_netinet_tcp_reply(struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(reflect_mbuf_tcp, m, label); + MAC_PERFORM(netinet_tcp_reply, m, label); } void -mac_update_ipq(struct mbuf *m, struct ipq *ipq) +mac_ipq_update(struct mbuf *m, struct ipq *ipq) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label); + MAC_PERFORM(ipq_update, m, label, ipq, ipq->ipq_label); } int -mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) +mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) { struct label *label; int error; @@ -258,7 +261,7 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); + MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label); return (error); } @@ -273,13 +276,13 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) } void -mac_create_mbuf_from_firewall(struct mbuf *m) +mac_mbuf_create_from_firewall(struct mbuf *m) { struct label *label; M_ASSERTPKTHDR(m); label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_firewall, m, label); + MAC_PERFORM(mbuf_create_from_firewall, m, label); } /* diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index fcf59aa..2cdc006 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 nCircle Network Security, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -16,6 +17,9 @@ * This software was developed by Robert N. M. Watson for the TrustedBSD * Project under contract to nCircle Network Security, Inc. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -118,30 +122,30 @@ void mac_pipe_label_free(struct label *label); struct label *mac_socket_label_alloc(int flag); void mac_socket_label_free(struct label *label); -int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -int mac_externalize_cred_label(struct label *label, char *elements, +int mac_cred_check_relabel(struct ucred *cred, struct label *newlabel); +int mac_cred_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_cred_label(struct label *label, char *string); -void mac_relabel_cred(struct ucred *cred, struct label *newlabel); +int mac_cred_internalize_label(struct label *label, char *string); +void mac_cred_relabel(struct ucred *cred, struct label *newlabel); struct label *mac_mbuf_to_label(struct mbuf *m); -void mac_copy_pipe_label(struct label *src, struct label *dest); -int mac_externalize_pipe_label(struct label *label, char *elements, +void mac_pipe_copy_label(struct label *src, struct label *dest); +int mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_pipe_label(struct label *label, char *string); +int mac_pipe_internalize_label(struct label *label, char *string); int mac_socket_label_set(struct ucred *cred, struct socket *so, struct label *label); -void mac_copy_socket_label(struct label *src, struct label *dest); -int mac_externalize_socket_label(struct label *label, char *elements, +void mac_socket_copy_label(struct label *src, struct label *dest); +int mac_socket_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_socket_label(struct label *label, char *string); +int mac_socket_internalize_label(struct label *label, char *string); -int mac_externalize_vnode_label(struct label *label, char *elements, +int mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_vnode_label(struct label *label, char *string); -void mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +int mac_vnode_internalize_label(struct label *label, char *string); +void mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot); int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred); @@ -263,7 +267,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, break; \ } \ claimed = 0; \ - MAC_CHECK(externalize_ ## type ## _label, label, \ + MAC_CHECK(type ## _externalize_label, label, \ element_name, &sb, &claimed); \ if (error) \ break; \ @@ -299,7 +303,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, break; \ } \ claimed = 0; \ - MAC_CHECK(internalize_ ## type ## _label, label, \ + MAC_CHECK(type ## _internalize_label, label, \ element_name, element_data, &claimed); \ if (error) \ break; \ diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 05a0073..406e1f8 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2,11 +2,15 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * This software was developed for the FreeBSD Project in part by Network * Associates Laboratories, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), @@ -102,12 +106,12 @@ mac_bpfdesc_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_bpfdesc_label, label); + MAC_PERFORM(bpfdesc_init_label, label); return (label); } void -mac_init_bpfdesc(struct bpf_d *d) +mac_bpfdesc_init(struct bpf_d *d) { d->bd_label = mac_bpfdesc_label_alloc(); @@ -119,19 +123,19 @@ mac_ifnet_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_ifnet_label, label); + MAC_PERFORM(ifnet_init_label, label); return (label); } void -mac_init_ifnet(struct ifnet *ifp) +mac_ifnet_init(struct ifnet *ifp) { ifp->if_label = mac_ifnet_label_alloc(); } int -mac_init_mbuf_tag(struct m_tag *tag, int flag) +mac_mbuf_tag_init(struct m_tag *tag, int flag) { struct label *label; int error; @@ -139,16 +143,16 @@ mac_init_mbuf_tag(struct m_tag *tag, int flag) label = (struct label *) (tag + 1); mac_init_label(label); - MAC_CHECK(init_mbuf_label, label, flag); + MAC_CHECK(mbuf_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_mbuf_label, label); + MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); } return (error); } int -mac_init_mbuf(struct mbuf *m, int flag) +mac_mbuf_init(struct mbuf *m, int flag) { struct m_tag *tag; int error; @@ -167,7 +171,7 @@ mac_init_mbuf(struct mbuf *m, int flag) flag); if (tag == NULL) return (ENOMEM); - error = mac_init_mbuf_tag(tag, flag); + error = mac_mbuf_tag_init(tag, flag); if (error) { m_tag_free(tag); return (error); @@ -180,12 +184,12 @@ static void mac_bpfdesc_label_free(struct label *label) { - MAC_PERFORM(destroy_bpfdesc_label, label); + MAC_PERFORM(bpfdesc_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_bpfdesc(struct bpf_d *d) +mac_bpfdesc_destroy(struct bpf_d *d) { mac_bpfdesc_label_free(d->bd_label); @@ -196,12 +200,12 @@ static void mac_ifnet_label_free(struct label *label) { - MAC_PERFORM(destroy_ifnet_label, label); + MAC_PERFORM(ifnet_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_ifnet(struct ifnet *ifp) +mac_ifnet_destroy(struct ifnet *ifp) { mac_ifnet_label_free(ifp->if_label); @@ -209,22 +213,22 @@ mac_destroy_ifnet(struct ifnet *ifp) } void -mac_destroy_mbuf_tag(struct m_tag *tag) +mac_mbuf_tag_destroy(struct m_tag *tag) { struct label *label; label = (struct label *)(tag+1); - MAC_PERFORM(destroy_mbuf_label, label); + MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); } /* - * mac_copy_mbuf_tag is called when an mbuf header is duplicated, in which + * mac_mbuf_tag_copy is called when an mbuf header is duplicated, in which * case the labels must also be duplicated. */ void -mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) +mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest) { struct label *src_label, *dest_label; @@ -232,32 +236,32 @@ mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) dest_label = (struct label *)(dest+1); /* - * mac_init_mbuf_tag() is called on the target tag in m_tag_copy(), + * mac_mbuf_tag_init() is called on the target tag in m_tag_copy(), * so we don't need to call it here. */ - MAC_PERFORM(copy_mbuf_label, src_label, dest_label); + MAC_PERFORM(mbuf_copy_label, src_label, dest_label); } void -mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to) +mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to) { struct label *src_label, *dest_label; src_label = mac_mbuf_to_label(m_from); dest_label = mac_mbuf_to_label(m_to); - MAC_PERFORM(copy_mbuf_label, src_label, dest_label); + MAC_PERFORM(mbuf_copy_label, src_label, dest_label); } static void -mac_copy_ifnet_label(struct label *src, struct label *dest) +mac_ifnet_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_ifnet_label, src, dest); + MAC_PERFORM(ifnet_copy_label, src, dest); } static int -mac_externalize_ifnet_label(struct label *label, char *elements, +mac_ifnet_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -268,7 +272,7 @@ mac_externalize_ifnet_label(struct label *label, char *elements, } static int -mac_internalize_ifnet_label(struct label *label, char *string) +mac_ifnet_internalize_label(struct label *label, char *string) { int error; @@ -278,23 +282,23 @@ mac_internalize_ifnet_label(struct label *label, char *string) } void -mac_create_ifnet(struct ifnet *ifp) +mac_ifnet_create(struct ifnet *ifp) { MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_ifnet, ifp, ifp->if_label); + MAC_PERFORM(ifnet_create, ifp, ifp->if_label); MAC_IFNET_UNLOCK(ifp); } void -mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d) +mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) { - MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label); + MAC_PERFORM(bpfdesc_create, cred, d, d->bd_label); } void -mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) +mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) { struct label *label; @@ -302,7 +306,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label); + MAC_PERFORM(bpfdesc_create_mbuf, d, d->bd_label, m, label); } void @@ -318,19 +322,19 @@ mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m) } void -mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label); + MAC_PERFORM(ifnet_create_mbuf, ifp, ifp->if_label, m, label); MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, +mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew) { struct label *mlabel, *mnewlabel; @@ -339,38 +343,38 @@ mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, mnewlabel = mac_mbuf_to_label(mnew); MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp, + MAC_PERFORM(mbuf_create_multicast_encap, m, mlabel, ifp, ifp->if_label, mnew, mnewlabel); MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew) +mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew) { struct label *mlabel, *mnewlabel; mlabel = mac_mbuf_to_label(m); mnewlabel = mac_mbuf_to_label(mnew); - MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel); + MAC_PERFORM(mbuf_create_netlayer, m, mlabel, mnew, mnewlabel); } int -mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp) +mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) { int error; BPFD_LOCK_ASSERT(d); MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label); + MAC_CHECK(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label); MAC_IFNET_UNLOCK(ifp); return (error); } int -mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) { struct label *label; int error; @@ -380,14 +384,14 @@ mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label); + MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, m, label); MAC_IFNET_UNLOCK(ifp); return (error); } int -mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, +mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) { char *elements, *buffer; @@ -413,9 +417,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_ifnet_label_alloc(); MAC_IFNET_LOCK(ifp); - mac_copy_ifnet_label(ifp->if_label, intlabel); + mac_ifnet_copy_label(ifp->if_label, intlabel); MAC_IFNET_UNLOCK(ifp); - error = mac_externalize_ifnet_label(intlabel, elements, buffer, + error = mac_ifnet_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_ifnet_label_free(intlabel); if (error == 0) @@ -428,7 +432,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, } int -mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) +mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) { struct label *intlabel; struct mac mac; @@ -451,7 +455,7 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) } intlabel = mac_ifnet_label_alloc(); - error = mac_internalize_ifnet_label(intlabel, buffer); + error = mac_ifnet_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { mac_ifnet_label_free(intlabel); @@ -470,14 +474,14 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) } MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel); + MAC_CHECK(ifnet_check_relabel, cred, ifp, ifp->if_label, intlabel); if (error) { MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel); + MAC_PERFORM(ifnet_relabel, cred, ifp, ifp->if_label, intlabel); MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 6578517..0a352bb 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -56,12 +60,12 @@ mac_pipe_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_pipe_label, label); + MAC_PERFORM(pipe_init_label, label); return (label); } void -mac_init_pipe(struct pipepair *pp) +mac_pipe_init(struct pipepair *pp) { pp->pp_label = mac_pipe_label_alloc(); @@ -71,12 +75,12 @@ void mac_pipe_label_free(struct label *label) { - MAC_PERFORM(destroy_pipe_label, label); + MAC_PERFORM(pipe_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_pipe(struct pipepair *pp) +mac_pipe_destroy(struct pipepair *pp) { mac_pipe_label_free(pp->pp_label); @@ -84,14 +88,14 @@ mac_destroy_pipe(struct pipepair *pp) } void -mac_copy_pipe_label(struct label *src, struct label *dest) +mac_pipe_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_pipe_label, src, dest); + MAC_PERFORM(pipe_copy_label, src, dest); } int -mac_externalize_pipe_label(struct label *label, char *elements, +mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -102,7 +106,7 @@ mac_externalize_pipe_label(struct label *label, char *elements, } int -mac_internalize_pipe_label(struct label *label, char *string) +mac_pipe_internalize_label(struct label *label, char *string) { int error; @@ -112,90 +116,90 @@ mac_internalize_pipe_label(struct label *label, char *string) } void -mac_create_pipe(struct ucred *cred, struct pipepair *pp) +mac_pipe_create(struct ucred *cred, struct pipepair *pp) { - MAC_PERFORM(create_pipe, cred, pp, pp->pp_label); + MAC_PERFORM(pipe_create, cred, pp, pp->pp_label); } static void -mac_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) { - MAC_PERFORM(relabel_pipe, cred, pp, pp->pp_label, newlabel); + MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel); } int -mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data); + MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data); return (error); } int -mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label); return (error); } int -mac_check_pipe_read(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label); return (error); } static int -mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel); + MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel); return (error); } int -mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label); return (error); } int -mac_check_pipe_write(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_write(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label); return (error); } @@ -208,11 +212,11 @@ mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, mtx_assert(&pp->pp_mtx, MA_OWNED); - error = mac_check_pipe_relabel(cred, pp, label); + error = mac_pipe_check_relabel(cred, pp, label); if (error) return (error); - mac_relabel_pipe(cred, pp, label); + mac_pipe_relabel(cred, pp, label); return (0); } diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index c061e2e..5106d94 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -116,217 +116,217 @@ typedef void (*mpo_placeholder_t)(void); * recycle for re-use without init/destroy, copy a label to initialized * storage, and externalize/internalize from/to initialized storage. */ -typedef void (*mpo_init_bpfdesc_label_t)(struct label *label); -typedef void (*mpo_init_cred_label_t)(struct label *label); -typedef void (*mpo_init_devfs_label_t)(struct label *label); -typedef void (*mpo_init_ifnet_label_t)(struct label *label); -typedef int (*mpo_init_inpcb_label_t)(struct label *label, int flag); -typedef void (*mpo_init_sysv_msgmsg_label_t)(struct label *label); -typedef void (*mpo_init_sysv_msgqueue_label_t)(struct label *label); -typedef void (*mpo_init_sysv_sem_label_t)(struct label *label); -typedef void (*mpo_init_sysv_shm_label_t)(struct label *label); -typedef int (*mpo_init_ipq_label_t)(struct label *label, int flag); -typedef int (*mpo_init_mbuf_label_t)(struct label *label, int flag); -typedef void (*mpo_init_mount_label_t)(struct label *label); -typedef int (*mpo_init_socket_label_t)(struct label *label, int flag); -typedef int (*mpo_init_socket_peer_label_t)(struct label *label, +typedef void (*mpo_bpfdesc_init_label_t)(struct label *label); +typedef void (*mpo_cred_init_label_t)(struct label *label); +typedef void (*mpo_devfs_init_label_t)(struct label *label); +typedef void (*mpo_ifnet_init_label_t)(struct label *label); +typedef int (*mpo_inpcb_init_label_t)(struct label *label, int flag); +typedef void (*mpo_sysvmsg_init_label_t)(struct label *label); +typedef void (*mpo_sysvmsq_init_label_t)(struct label *label); +typedef void (*mpo_sysvsem_init_label_t)(struct label *label); +typedef void (*mpo_sysvshm_init_label_t)(struct label *label); +typedef int (*mpo_ipq_init_label_t)(struct label *label, int flag); +typedef int (*mpo_mbuf_init_label_t)(struct label *label, int flag); +typedef void (*mpo_mount_init_label_t)(struct label *label); +typedef int (*mpo_socket_init_label_t)(struct label *label, int flag); +typedef int (*mpo_socketpeer_init_label_t)(struct label *label, int flag); -typedef void (*mpo_init_pipe_label_t)(struct label *label); -typedef void (*mpo_init_posix_sem_label_t)(struct label *label); -typedef void (*mpo_init_proc_label_t)(struct label *label); -typedef void (*mpo_init_vnode_label_t)(struct label *label); -typedef void (*mpo_destroy_bpfdesc_label_t)(struct label *label); -typedef void (*mpo_destroy_cred_label_t)(struct label *label); -typedef void (*mpo_destroy_devfs_label_t)(struct label *label); -typedef void (*mpo_destroy_ifnet_label_t)(struct label *label); -typedef void (*mpo_destroy_inpcb_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_msgmsg_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_msgqueue_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_sem_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_shm_label_t)(struct label *label); -typedef void (*mpo_destroy_ipq_label_t)(struct label *label); -typedef void (*mpo_destroy_mbuf_label_t)(struct label *label); -typedef void (*mpo_destroy_mount_label_t)(struct label *label); -typedef void (*mpo_destroy_socket_label_t)(struct label *label); -typedef void (*mpo_destroy_socket_peer_label_t)(struct label *label); -typedef void (*mpo_destroy_pipe_label_t)(struct label *label); -typedef void (*mpo_destroy_posix_sem_label_t)(struct label *label); -typedef void (*mpo_destroy_proc_label_t)(struct label *label); -typedef void (*mpo_destroy_vnode_label_t)(struct label *label); -typedef void (*mpo_cleanup_sysv_msgmsg_t)(struct label *msglabel); -typedef void (*mpo_cleanup_sysv_msgqueue_t)(struct label *msqlabel); -typedef void (*mpo_cleanup_sysv_sem_t)(struct label *semalabel); -typedef void (*mpo_cleanup_sysv_shm_t)(struct label *shmlabel); -typedef void (*mpo_copy_cred_label_t)(struct label *src, +typedef void (*mpo_pipe_init_label_t)(struct label *label); +typedef void (*mpo_posixsem_init_label_t)(struct label *label); +typedef void (*mpo_proc_init_label_t)(struct label *label); +typedef void (*mpo_vnode_init_label_t)(struct label *label); +typedef void (*mpo_bpfdesc_destroy_label_t)(struct label *label); +typedef void (*mpo_cred_destroy_label_t)(struct label *label); +typedef void (*mpo_devfs_destroy_label_t)(struct label *label); +typedef void (*mpo_ifnet_destroy_label_t)(struct label *label); +typedef void (*mpo_inpcb_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsg_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsq_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvsem_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvshm_destroy_label_t)(struct label *label); +typedef void (*mpo_ipq_destroy_label_t)(struct label *label); +typedef void (*mpo_mbuf_destroy_label_t)(struct label *label); +typedef void (*mpo_mount_destroy_label_t)(struct label *label); +typedef void (*mpo_socket_destroy_label_t)(struct label *label); +typedef void (*mpo_socketpeer_destroy_label_t)(struct label *label); +typedef void (*mpo_pipe_destroy_label_t)(struct label *label); +typedef void (*mpo_posixsem_destroy_label_t)(struct label *label); +typedef void (*mpo_proc_destroy_label_t)(struct label *label); +typedef void (*mpo_vnode_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsg_cleanup_t)(struct label *msglabel); +typedef void (*mpo_sysvmsq_cleanup_t)(struct label *msqlabel); +typedef void (*mpo_sysvsem_cleanup_t)(struct label *semalabel); +typedef void (*mpo_sysvshm_cleanup_t)(struct label *shmlabel); +typedef void (*mpo_cred_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_ifnet_label_t)(struct label *src, +typedef void (*mpo_ifnet_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_mbuf_label_t)(struct label *src, +typedef void (*mpo_mbuf_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_pipe_label_t)(struct label *src, +typedef void (*mpo_pipe_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_socket_label_t)(struct label *src, +typedef void (*mpo_socket_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_vnode_label_t)(struct label *src, +typedef void (*mpo_vnode_copy_label_t)(struct label *src, struct label *dest); -typedef int (*mpo_externalize_cred_label_t)(struct label *label, +typedef int (*mpo_cred_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_ifnet_label_t)(struct label *label, +typedef int (*mpo_ifnet_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_pipe_label_t)(struct label *label, +typedef int (*mpo_pipe_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_socket_label_t)(struct label *label, +typedef int (*mpo_socket_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_socket_peer_label_t)(struct label *label, +typedef int (*mpo_socketpeer_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_vnode_label_t)(struct label *label, +typedef int (*mpo_vnode_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_internalize_cred_label_t)(struct label *label, +typedef int (*mpo_cred_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_ifnet_label_t)(struct label *label, +typedef int (*mpo_ifnet_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_pipe_label_t)(struct label *label, +typedef int (*mpo_pipe_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_socket_label_t)(struct label *label, +typedef int (*mpo_socket_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_vnode_label_t)(struct label *label, +typedef int (*mpo_vnode_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); /* * Labeling event operations: file system objects, and things that look a lot * like file system objects. */ -typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp, +typedef void (*mpo_devfs_vnode_associate_t)(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp, +typedef int (*mpo_vnode_associate_extattr_t)(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel); -typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp, +typedef void (*mpo_vnode_associate_singlelabel_t)(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel); -typedef void (*mpo_create_devfs_device_t)(struct ucred *cred, +typedef void (*mpo_devfs_create_device_t)(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel); -typedef void (*mpo_create_devfs_directory_t)(struct mount *mp, +typedef void (*mpo_devfs_create_directory_t)(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel); -typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred, +typedef void (*mpo_devfs_create_symlink_t)(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel); -typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_create_extattr_t)(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp, +typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp, struct label *mplabel); -typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp, +typedef void (*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label); -typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_setlabel_extattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel); -typedef void (*mpo_update_devfs_t)(struct mount *mp, +typedef void (*mpo_devfs_update_t)(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel); /* * Labeling event operations: IPC objects. */ -typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so, +typedef void (*mpo_socket_create_mbuf_t)(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so, +typedef void (*mpo_socket_create_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldso, +typedef void (*mpo_socket_newconn_t)(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsolabel); -typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so, +typedef void (*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so, struct label *oldlabel, struct label *newlabel); -typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp, +typedef void (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *oldlabel, struct label *newlabel); -typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *m, +typedef void (*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel); -typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldso, +typedef void (*mpo_socketpeer_set_from_socket_t)(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel); -typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp, +typedef void (*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); /* * Labeling event operations: System V IPC primitives. */ -typedef void (*mpo_create_sysv_msgmsg_t)(struct ucred *cred, +typedef void (*mpo_sysvmsg_create_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel); -typedef void (*mpo_create_sysv_msgqueue_t)(struct ucred *cred, +typedef void (*mpo_sysvmsq_create_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel); -typedef void (*mpo_create_sysv_sem_t)(struct ucred *cred, +typedef void (*mpo_sysvsem_create_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel); -typedef void (*mpo_create_sysv_shm_t)(struct ucred *cred, +typedef void (*mpo_sysvshm_create_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel); /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ -typedef void (*mpo_create_posix_sem_t)(struct ucred *cred, +typedef void (*mpo_posixsem_create_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); /* * Labeling event operations: network objects. */ -typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred, +typedef void (*mpo_bpfdesc_create_t)(struct ucred *cred, struct bpf_d *d, struct label *dlabel); -typedef void (*mpo_create_ifnet_t)(struct ifnet *ifp, +typedef void (*mpo_ifnet_create_t)(struct ifnet *ifp, struct label *ifplabel); -typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so, +typedef void (*mpo_inpcb_create_t)(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel); -typedef void (*mpo_create_ipq_t)(struct mbuf *m, struct label *mlabel, +typedef void (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); -typedef void (*mpo_create_datagram_from_ipq) +typedef void (*mpo_ipq_reassemble) (struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_fragment_t)(struct mbuf *m, +typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel); -typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp, +typedef void (*mpo_inpcb_create_mbuf_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *d, +typedef void (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifp, +typedef void (*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel); -typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_netlayer_t)(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel); -typedef int (*mpo_fragment_match_t)(struct mbuf *m, struct label *mlabel, +typedef int (*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); -typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m, +typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m, struct label *mlabel); -typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m, +typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m, struct label *mlabel); -typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, struct ifnet *ifp, +typedef void (*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel); -typedef void (*mpo_update_ipq_t)(struct mbuf *m, struct label *mlabel, +typedef void (*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); -typedef void (*mpo_create_mbuf_from_firewall_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_from_firewall_t)(struct mbuf *m, struct label *label); typedef void (*mpo_destroy_syncache_label_t)(struct label *label); typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag); @@ -337,274 +337,274 @@ typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label, /* * Labeling event operations: processes. */ -typedef void (*mpo_execve_transition_t)(struct ucred *old, +typedef void (*mpo_vnode_execve_transition_t)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); -typedef int (*mpo_execve_will_transition_t)(struct ucred *old, +typedef int (*mpo_vnode_execve_will_transition_t)(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); -typedef void (*mpo_create_proc0_t)(struct ucred *cred); -typedef void (*mpo_create_proc1_t)(struct ucred *cred); -typedef void (*mpo_relabel_cred_t)(struct ucred *cred, +typedef void (*mpo_proc_create_swapper_t)(struct ucred *cred); +typedef void (*mpo_proc_create_init_t)(struct ucred *cred); +typedef void (*mpo_cred_relabel_t)(struct ucred *cred, struct label *newlabel); typedef void (*mpo_thread_userret_t)(struct thread *thread); /* * Access control checks. */ -typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *d, +typedef int (*mpo_bpfdesc_check_receive_t)(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel); -typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred, +typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, struct label *newlabel); -typedef int (*mpo_check_cred_visible_t)(struct ucred *cr1, +typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, struct ucred *cr2); -typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred, +typedef int (*mpo_ifnet_check_relabel_t)(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel); -typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifp, +typedef int (*mpo_ifnet_check_transmit_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp, +typedef int (*mpo_inpcb_check_deliver_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_sysv_msgmsq_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msgrcv_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel); -typedef int (*mpo_check_sysv_msgrmid_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel); -typedef int (*mpo_check_sysv_msqget_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqget_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqsnd_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqrcv_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqctl_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd); -typedef int (*mpo_check_sysv_semctl_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semctl_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd); -typedef int (*mpo_check_sysv_semget_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semget_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel); -typedef int (*mpo_check_sysv_semop_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semop_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype); -typedef int (*mpo_check_sysv_shmat_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmat_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg); -typedef int (*mpo_check_sysv_shmctl_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmctl_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd); -typedef int (*mpo_check_sysv_shmdt_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmdt_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel); -typedef int (*mpo_check_sysv_shmget_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmget_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg); -typedef int (*mpo_check_kenv_dump_t)(struct ucred *cred); -typedef int (*mpo_check_kenv_get_t)(struct ucred *cred, char *name); -typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name, +typedef int (*mpo_kenv_check_dump_t)(struct ucred *cred); +typedef int (*mpo_kenv_check_get_t)(struct ucred *cred, char *name); +typedef int (*mpo_kenv_check_set_t)(struct ucred *cred, char *name, char *value); -typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name); -typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp, +typedef int (*mpo_kenv_check_unset_t)(struct ucred *cred, char *name); +typedef int (*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_kld_stat_t)(struct ucred *cred); +typedef int (*mpo_kld_check_stat_t)(struct ucred *cred); typedef int (*mpo_mpo_placeholder19_t)(void); typedef int (*mpo_mpo_placeholder20_t)(void); -typedef int (*mpo_check_mount_stat_t)(struct ucred *cred, +typedef int (*mpo_mount_check_stat_t)(struct ucred *cred, struct mount *mp, struct label *mplabel); typedef int (*mpo_mpo_placeholder21_t)(void); -typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void *data); -typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_poll_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_read_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_read_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel); -typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_stat_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_write_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_write_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_destroy_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_open_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_post_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_post_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_unlink_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_wait_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_proc_debug_t)(struct ucred *cred, +typedef int (*mpo_proc_check_debug_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_check_proc_sched_t)(struct ucred *cred, +typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred, +typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred, struct auditinfo *ai); -typedef int (*mpo_check_proc_setaudit_addr_t)(struct ucred *cred, +typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred, struct auditinfo_addr *aia); -typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid); -typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid); -typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid); -typedef int (*mpo_check_proc_setgid_t)(struct ucred *cred, gid_t gid); -typedef int (*mpo_check_proc_setegid_t)(struct ucred *cred, gid_t egid); -typedef int (*mpo_check_proc_setgroups_t)(struct ucred *cred, int ngroups, +typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid); +typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid); +typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid); +typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid); +typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid); +typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups, gid_t *gidset); -typedef int (*mpo_check_proc_setreuid_t)(struct ucred *cred, uid_t ruid, +typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid, uid_t euid); -typedef int (*mpo_check_proc_setregid_t)(struct ucred *cred, gid_t rgid, +typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid, gid_t egid); -typedef int (*mpo_check_proc_setresuid_t)(struct ucred *cred, uid_t ruid, +typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); -typedef int (*mpo_check_proc_setresgid_t)(struct ucred *cred, gid_t rgid, +typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); -typedef int (*mpo_check_proc_signal_t)(struct ucred *cred, +typedef int (*mpo_proc_check_signal_t)(struct ucred *cred, struct proc *proc, int signum); -typedef int (*mpo_check_proc_wait_t)(struct ucred *cred, +typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, struct proc *proc); -typedef int (*mpo_check_socket_accept_t)(struct ucred *cred, +typedef int (*mpo_socket_check_accept_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_bind_t)(struct ucred *cred, +typedef int (*mpo_socket_check_bind_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa); -typedef int (*mpo_check_socket_connect_t)(struct ucred *cred, +typedef int (*mpo_socket_check_connect_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa); -typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain, +typedef int (*mpo_socket_check_create_t)(struct ucred *cred, int domain, int type, int protocol); -typedef int (*mpo_check_socket_deliver_t)(struct socket *so, +typedef int (*mpo_socket_check_deliver_t)(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_socket_listen_t)(struct ucred *cred, +typedef int (*mpo_socket_check_listen_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_poll_t)(struct ucred *cred, +typedef int (*mpo_socket_check_poll_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_receive_t)(struct ucred *cred, +typedef int (*mpo_socket_check_receive_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred, +typedef int (*mpo_socket_check_relabel_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel); -typedef int (*mpo_check_socket_send_t)(struct ucred *cred, +typedef int (*mpo_socket_check_send_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_stat_t)(struct ucred *cred, +typedef int (*mpo_socket_check_stat_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_visible_t)(struct ucred *cred, +typedef int (*mpo_socket_check_visible_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_system_acct_t)(struct ucred *cred, +typedef int (*mpo_system_check_acct_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, +typedef int (*mpo_system_check_audit_t)(struct ucred *cred, void *record, int length); -typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, +typedef int (*mpo_system_check_auditctl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd); -typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto); -typedef int (*mpo_check_system_swapon_t)(struct ucred *cred, +typedef int (*mpo_system_check_auditon_t)(struct ucred *cred, int cmd); +typedef int (*mpo_system_check_reboot_t)(struct ucred *cred, int howto); +typedef int (*mpo_system_check_swapon_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred, +typedef int (*mpo_system_check_swapoff_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred, +typedef int (*mpo_system_check_sysctl_t)(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); -typedef int (*mpo_check_vnode_access_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_access_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode); -typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_chdir_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_chroot_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_create_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_create_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap); -typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_deleteacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type); -typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_deleteextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name); -typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_exec_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel); -typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_getacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type); -typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_getextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio); -typedef int (*mpo_check_vnode_link_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_link_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_listextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace); -typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_lookup_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_mmap_t)(struct ucred *cred, struct vnode *vp, struct label *label, int prot, int flags); -typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred, +typedef void (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int *prot); -typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_mprotect_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot); -typedef int (*mpo_check_vnode_open_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_open_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode); -typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_poll_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_read_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_readdir_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_readlink_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_relabel_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel); -typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_rename_from_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_rename_to_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp); -typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_revoke_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl); -typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio); -typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setflags_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags); -typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setmode_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode); -typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setowner_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid); -typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setutimes_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime); -typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_stat_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_unlink_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); @@ -631,151 +631,151 @@ struct mac_policy_ops { * initialized storage, and externalize/internalize from/to * initialized storage. */ - mpo_init_bpfdesc_label_t mpo_init_bpfdesc_label; - mpo_init_cred_label_t mpo_init_cred_label; - mpo_init_devfs_label_t mpo_init_devfs_label; + mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; + mpo_cred_init_label_t mpo_cred_init_label; + mpo_devfs_init_label_t mpo_devfs_init_label; mpo_placeholder_t _mpo_placeholder0; - mpo_init_ifnet_label_t mpo_init_ifnet_label; - mpo_init_inpcb_label_t mpo_init_inpcb_label; - mpo_init_sysv_msgmsg_label_t mpo_init_sysv_msgmsg_label; - mpo_init_sysv_msgqueue_label_t mpo_init_sysv_msgqueue_label; - mpo_init_sysv_sem_label_t mpo_init_sysv_sem_label; - mpo_init_sysv_shm_label_t mpo_init_sysv_shm_label; - mpo_init_ipq_label_t mpo_init_ipq_label; - mpo_init_mbuf_label_t mpo_init_mbuf_label; - mpo_init_mount_label_t mpo_init_mount_label; - mpo_init_socket_label_t mpo_init_socket_label; - mpo_init_socket_peer_label_t mpo_init_socket_peer_label; - mpo_init_pipe_label_t mpo_init_pipe_label; - mpo_init_posix_sem_label_t mpo_init_posix_sem_label; - mpo_init_proc_label_t mpo_init_proc_label; - mpo_init_vnode_label_t mpo_init_vnode_label; - mpo_destroy_bpfdesc_label_t mpo_destroy_bpfdesc_label; - mpo_destroy_cred_label_t mpo_destroy_cred_label; - mpo_destroy_devfs_label_t mpo_destroy_devfs_label; + mpo_ifnet_init_label_t mpo_ifnet_init_label; + mpo_inpcb_init_label_t mpo_inpcb_init_label; + mpo_sysvmsg_init_label_t mpo_sysvmsg_init_label; + mpo_sysvmsq_init_label_t mpo_sysvmsq_init_label; + mpo_sysvsem_init_label_t mpo_sysvsem_init_label; + mpo_sysvshm_init_label_t mpo_sysvshm_init_label; + mpo_ipq_init_label_t mpo_ipq_init_label; + mpo_mbuf_init_label_t mpo_mbuf_init_label; + mpo_mount_init_label_t mpo_mount_init_label; + mpo_socket_init_label_t mpo_socket_init_label; + mpo_socketpeer_init_label_t mpo_socketpeer_init_label; + mpo_pipe_init_label_t mpo_pipe_init_label; + mpo_posixsem_init_label_t mpo_posixsem_init_label; + mpo_proc_init_label_t mpo_proc_init_label; + mpo_vnode_init_label_t mpo_vnode_init_label; + mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; + mpo_cred_destroy_label_t mpo_cred_destroy_label; + mpo_devfs_destroy_label_t mpo_devfs_destroy_label; mpo_placeholder_t _mpo_placeholder1; - mpo_destroy_ifnet_label_t mpo_destroy_ifnet_label; - mpo_destroy_inpcb_label_t mpo_destroy_inpcb_label; - mpo_destroy_sysv_msgmsg_label_t mpo_destroy_sysv_msgmsg_label; - mpo_destroy_sysv_msgqueue_label_t mpo_destroy_sysv_msgqueue_label; - mpo_destroy_sysv_sem_label_t mpo_destroy_sysv_sem_label; - mpo_destroy_sysv_shm_label_t mpo_destroy_sysv_shm_label; - mpo_destroy_ipq_label_t mpo_destroy_ipq_label; - mpo_destroy_mbuf_label_t mpo_destroy_mbuf_label; - mpo_destroy_mount_label_t mpo_destroy_mount_label; - mpo_destroy_socket_label_t mpo_destroy_socket_label; - mpo_destroy_socket_peer_label_t mpo_destroy_socket_peer_label; - mpo_destroy_pipe_label_t mpo_destroy_pipe_label; - mpo_destroy_posix_sem_label_t mpo_destroy_posix_sem_label; - mpo_destroy_proc_label_t mpo_destroy_proc_label; - mpo_destroy_vnode_label_t mpo_destroy_vnode_label; - mpo_cleanup_sysv_msgmsg_t mpo_cleanup_sysv_msgmsg; - mpo_cleanup_sysv_msgqueue_t mpo_cleanup_sysv_msgqueue; - mpo_cleanup_sysv_sem_t mpo_cleanup_sysv_sem; - mpo_cleanup_sysv_shm_t mpo_cleanup_sysv_shm; - mpo_copy_cred_label_t mpo_copy_cred_label; - mpo_copy_ifnet_label_t mpo_copy_ifnet_label; - mpo_copy_mbuf_label_t mpo_copy_mbuf_label; + mpo_ifnet_destroy_label_t mpo_ifnet_destroy_label; + mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label; + mpo_sysvmsg_destroy_label_t mpo_sysvmsg_destroy_label; + mpo_sysvmsq_destroy_label_t mpo_sysvmsq_destroy_label; + mpo_sysvsem_destroy_label_t mpo_sysvsem_destroy_label; + mpo_sysvshm_destroy_label_t mpo_sysvshm_destroy_label; + mpo_ipq_destroy_label_t mpo_ipq_destroy_label; + mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; + mpo_mount_destroy_label_t mpo_mount_destroy_label; + mpo_socket_destroy_label_t mpo_socket_destroy_label; + mpo_socketpeer_destroy_label_t mpo_socketpeer_destroy_label; + mpo_pipe_destroy_label_t mpo_pipe_destroy_label; + mpo_posixsem_destroy_label_t mpo_posixsem_destroy_label; + mpo_proc_destroy_label_t mpo_proc_destroy_label; + mpo_vnode_destroy_label_t mpo_vnode_destroy_label; + mpo_sysvmsg_cleanup_t mpo_sysvmsg_cleanup; + mpo_sysvmsq_cleanup_t mpo_sysvmsq_cleanup; + mpo_sysvsem_cleanup_t mpo_sysvsem_cleanup; + mpo_sysvshm_cleanup_t mpo_sysvshm_cleanup; + mpo_cred_copy_label_t mpo_cred_copy_label; + mpo_ifnet_copy_label_t mpo_ifnet_copy_label; + mpo_mbuf_copy_label_t mpo_mbuf_copy_label; mpo_placeholder_t _mpo_placeholder2; - mpo_copy_pipe_label_t mpo_copy_pipe_label; - mpo_copy_socket_label_t mpo_copy_socket_label; - mpo_copy_vnode_label_t mpo_copy_vnode_label; - mpo_externalize_cred_label_t mpo_externalize_cred_label; - mpo_externalize_ifnet_label_t mpo_externalize_ifnet_label; + mpo_pipe_copy_label_t mpo_pipe_copy_label; + mpo_socket_copy_label_t mpo_socket_copy_label; + mpo_vnode_copy_label_t mpo_vnode_copy_label; + mpo_cred_externalize_label_t mpo_cred_externalize_label; + mpo_ifnet_externalize_label_t mpo_ifnet_externalize_label; mpo_placeholder_t _mpo_placeholder3; - mpo_externalize_pipe_label_t mpo_externalize_pipe_label; - mpo_externalize_socket_label_t mpo_externalize_socket_label; - mpo_externalize_socket_peer_label_t mpo_externalize_socket_peer_label; - mpo_externalize_vnode_label_t mpo_externalize_vnode_label; - mpo_internalize_cred_label_t mpo_internalize_cred_label; - mpo_internalize_ifnet_label_t mpo_internalize_ifnet_label; + mpo_pipe_externalize_label_t mpo_pipe_externalize_label; + mpo_socket_externalize_label_t mpo_socket_externalize_label; + mpo_socketpeer_externalize_label_t mpo_socketpeer_externalize_label; + mpo_vnode_externalize_label_t mpo_vnode_externalize_label; + mpo_cred_internalize_label_t mpo_cred_internalize_label; + mpo_ifnet_internalize_label_t mpo_ifnet_internalize_label; mpo_placeholder_t _mpo_placeholder4; - mpo_internalize_pipe_label_t mpo_internalize_pipe_label; - mpo_internalize_socket_label_t mpo_internalize_socket_label; - mpo_internalize_vnode_label_t mpo_internalize_vnode_label; + mpo_pipe_internalize_label_t mpo_pipe_internalize_label; + mpo_socket_internalize_label_t mpo_socket_internalize_label; + mpo_vnode_internalize_label_t mpo_vnode_internalize_label; /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. */ - mpo_associate_vnode_devfs_t mpo_associate_vnode_devfs; - mpo_associate_vnode_extattr_t mpo_associate_vnode_extattr; - mpo_associate_vnode_singlelabel_t mpo_associate_vnode_singlelabel; - mpo_create_devfs_device_t mpo_create_devfs_device; - mpo_create_devfs_directory_t mpo_create_devfs_directory; - mpo_create_devfs_symlink_t mpo_create_devfs_symlink; + mpo_devfs_vnode_associate_t mpo_devfs_vnode_associate; + mpo_vnode_associate_extattr_t mpo_vnode_associate_extattr; + mpo_vnode_associate_singlelabel_t mpo_vnode_associate_singlelabel; + mpo_devfs_create_device_t mpo_devfs_create_device; + mpo_devfs_create_directory_t mpo_devfs_create_directory; + mpo_devfs_create_symlink_t mpo_devfs_create_symlink; mpo_placeholder_t _mpo_placeholder5; - mpo_create_vnode_extattr_t mpo_create_vnode_extattr; - mpo_create_mount_t mpo_create_mount; - mpo_relabel_vnode_t mpo_relabel_vnode; - mpo_setlabel_vnode_extattr_t mpo_setlabel_vnode_extattr; - mpo_update_devfs_t mpo_update_devfs; + mpo_vnode_create_extattr_t mpo_vnode_create_extattr; + mpo_mount_create_t mpo_mount_create; + mpo_vnode_relabel_t mpo_vnode_relabel; + mpo_vnode_setlabel_extattr_t mpo_vnode_setlabel_extattr; + mpo_devfs_update_t mpo_devfs_update; /* * Labeling event operations: IPC objects. */ - mpo_create_mbuf_from_socket_t mpo_create_mbuf_from_socket; - mpo_create_socket_t mpo_create_socket; - mpo_create_socket_from_socket_t mpo_create_socket_from_socket; - mpo_relabel_socket_t mpo_relabel_socket; - mpo_relabel_pipe_t mpo_relabel_pipe; - mpo_set_socket_peer_from_mbuf_t mpo_set_socket_peer_from_mbuf; - mpo_set_socket_peer_from_socket_t mpo_set_socket_peer_from_socket; - mpo_create_pipe_t mpo_create_pipe; + mpo_socket_create_mbuf_t mpo_socket_create_mbuf; + mpo_socket_create_t mpo_socket_create; + mpo_socket_newconn_t mpo_socket_newconn; + mpo_socket_relabel_t mpo_socket_relabel; + mpo_pipe_relabel_t mpo_pipe_relabel; + mpo_socketpeer_set_from_mbuf_t mpo_socketpeer_set_from_mbuf; + mpo_socketpeer_set_from_socket_t mpo_socketpeer_set_from_socket; + mpo_pipe_create_t mpo_pipe_create; /* * Labeling event operations: System V IPC primitives. */ - mpo_create_sysv_msgmsg_t mpo_create_sysv_msgmsg; - mpo_create_sysv_msgqueue_t mpo_create_sysv_msgqueue; - mpo_create_sysv_sem_t mpo_create_sysv_sem; - mpo_create_sysv_shm_t mpo_create_sysv_shm; + mpo_sysvmsg_create_t mpo_sysvmsg_create; + mpo_sysvmsq_create_t mpo_sysvmsq_create; + mpo_sysvsem_create_t mpo_sysvsem_create; + mpo_sysvshm_create_t mpo_sysvshm_create; /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ - mpo_create_posix_sem_t mpo_create_posix_sem; + mpo_posixsem_create_t mpo_posixsem_create; /* * Labeling event operations: network objects. */ - mpo_create_bpfdesc_t mpo_create_bpfdesc; - mpo_create_ifnet_t mpo_create_ifnet; - mpo_create_inpcb_from_socket_t mpo_create_inpcb_from_socket; - mpo_create_ipq_t mpo_create_ipq; - mpo_create_datagram_from_ipq mpo_create_datagram_from_ipq; - mpo_create_fragment_t mpo_create_fragment; - mpo_create_mbuf_from_inpcb_t mpo_create_mbuf_from_inpcb; + mpo_bpfdesc_create_t mpo_bpfdesc_create; + mpo_ifnet_create_t mpo_ifnet_create; + mpo_inpcb_create_t mpo_inpcb_create; + mpo_ipq_create_t mpo_ipq_create; + mpo_ipq_reassemble mpo_ipq_reassemble; + mpo_netinet_fragment_t mpo_netinet_fragment; + mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; mpo_create_mbuf_linklayer_t mpo_create_mbuf_linklayer; - mpo_create_mbuf_from_bpfdesc_t mpo_create_mbuf_from_bpfdesc; - mpo_create_mbuf_from_ifnet_t mpo_create_mbuf_from_ifnet; - mpo_create_mbuf_multicast_encap_t mpo_create_mbuf_multicast_encap; - mpo_create_mbuf_netlayer_t mpo_create_mbuf_netlayer; - mpo_fragment_match_t mpo_fragment_match; - mpo_reflect_mbuf_icmp_t mpo_reflect_mbuf_icmp; - mpo_reflect_mbuf_tcp_t mpo_reflect_mbuf_tcp; - mpo_relabel_ifnet_t mpo_relabel_ifnet; - mpo_update_ipq_t mpo_update_ipq; + mpo_bpfdesc_create_mbuf_t mpo_bpfdesc_create_mbuf; + mpo_ifnet_create_mbuf_t mpo_ifnet_create_mbuf; + mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap; + mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; + mpo_ipq_match_t mpo_ipq_match; + mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply; + mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply; + mpo_ifnet_relabel_t mpo_ifnet_relabel; + mpo_ipq_update_t mpo_ipq_update; mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; /* * Labeling event operations: processes. */ - mpo_execve_transition_t mpo_execve_transition; - mpo_execve_will_transition_t mpo_execve_will_transition; - mpo_create_proc0_t mpo_create_proc0; - mpo_create_proc1_t mpo_create_proc1; - mpo_relabel_cred_t mpo_relabel_cred; + mpo_vnode_execve_transition_t mpo_vnode_execve_transition; + mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition; + mpo_proc_create_swapper_t mpo_proc_create_swapper; + mpo_proc_create_init_t mpo_proc_create_init; + mpo_cred_relabel_t mpo_cred_relabel; mpo_placeholder_t _mpo_placeholder6; mpo_thread_userret_t mpo_thread_userret; /* * Access control checks. */ - mpo_check_bpfdesc_receive_t mpo_check_bpfdesc_receive; + mpo_bpfdesc_check_receive_t mpo_bpfdesc_check_receive; mpo_placeholder_t _mpo_placeholder7; - mpo_check_cred_relabel_t mpo_check_cred_relabel; - mpo_check_cred_visible_t mpo_check_cred_visible; + mpo_cred_check_relabel_t mpo_cred_check_relabel; + mpo_cred_check_visible_t mpo_cred_check_visible; mpo_placeholder_t _mpo_placeholder8; mpo_placeholder_t _mpo_placeholder9; mpo_placeholder_t _mpo_placeholder10; @@ -787,119 +787,119 @@ struct mac_policy_ops { mpo_placeholder_t _mpo_placeholder16; mpo_placeholder_t _mpo_placeholder17; mpo_placeholder_t _mpo_placeholder18; - mpo_check_ifnet_relabel_t mpo_check_ifnet_relabel; - mpo_check_ifnet_transmit_t mpo_check_ifnet_transmit; - mpo_check_inpcb_deliver_t mpo_check_inpcb_deliver; - mpo_check_sysv_msgmsq_t mpo_check_sysv_msgmsq; - mpo_check_sysv_msgrcv_t mpo_check_sysv_msgrcv; - mpo_check_sysv_msgrmid_t mpo_check_sysv_msgrmid; - mpo_check_sysv_msqget_t mpo_check_sysv_msqget; - mpo_check_sysv_msqsnd_t mpo_check_sysv_msqsnd; - mpo_check_sysv_msqrcv_t mpo_check_sysv_msqrcv; - mpo_check_sysv_msqctl_t mpo_check_sysv_msqctl; - mpo_check_sysv_semctl_t mpo_check_sysv_semctl; - mpo_check_sysv_semget_t mpo_check_sysv_semget; - mpo_check_sysv_semop_t mpo_check_sysv_semop; - mpo_check_sysv_shmat_t mpo_check_sysv_shmat; - mpo_check_sysv_shmctl_t mpo_check_sysv_shmctl; - mpo_check_sysv_shmdt_t mpo_check_sysv_shmdt; - mpo_check_sysv_shmget_t mpo_check_sysv_shmget; - mpo_check_kenv_dump_t mpo_check_kenv_dump; - mpo_check_kenv_get_t mpo_check_kenv_get; - mpo_check_kenv_set_t mpo_check_kenv_set; - mpo_check_kenv_unset_t mpo_check_kenv_unset; - mpo_check_kld_load_t mpo_check_kld_load; - mpo_check_kld_stat_t mpo_check_kld_stat; + mpo_ifnet_check_relabel_t mpo_ifnet_check_relabel; + mpo_ifnet_check_transmit_t mpo_ifnet_check_transmit; + mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; + mpo_sysvmsq_check_msgmsq_t mpo_sysvmsq_check_msgmsq; + mpo_sysvmsq_check_msgrcv_t mpo_sysvmsq_check_msgrcv; + mpo_sysvmsq_check_msgrmid_t mpo_sysvmsq_check_msgrmid; + mpo_sysvmsq_check_msqget_t mpo_sysvmsq_check_msqget; + mpo_sysvmsq_check_msqsnd_t mpo_sysvmsq_check_msqsnd; + mpo_sysvmsq_check_msqrcv_t mpo_sysvmsq_check_msqrcv; + mpo_sysvmsq_check_msqctl_t mpo_sysvmsq_check_msqctl; + mpo_sysvsem_check_semctl_t mpo_sysvsem_check_semctl; + mpo_sysvsem_check_semget_t mpo_sysvsem_check_semget; + mpo_sysvsem_check_semop_t mpo_sysvsem_check_semop; + mpo_sysvshm_check_shmat_t mpo_sysvshm_check_shmat; + mpo_sysvshm_check_shmctl_t mpo_sysvshm_check_shmctl; + mpo_sysvshm_check_shmdt_t mpo_sysvshm_check_shmdt; + mpo_sysvshm_check_shmget_t mpo_sysvshm_check_shmget; + mpo_kenv_check_dump_t mpo_kenv_check_dump; + mpo_kenv_check_get_t mpo_kenv_check_get; + mpo_kenv_check_set_t mpo_kenv_check_set; + mpo_kenv_check_unset_t mpo_kenv_check_unset; + mpo_kld_check_load_t mpo_kld_check_load; + mpo_kld_check_stat_t mpo_kld_check_stat; mpo_placeholder_t _mpo_placeholder19; mpo_placeholder_t _mpo_placeholder20; - mpo_check_mount_stat_t mpo_check_mount_stat; + mpo_mount_check_stat_t mpo_mount_check_stat; mpo_placeholder_t _mpo_placeholder_21; - mpo_check_pipe_ioctl_t mpo_check_pipe_ioctl; - mpo_check_pipe_poll_t mpo_check_pipe_poll; - mpo_check_pipe_read_t mpo_check_pipe_read; - mpo_check_pipe_relabel_t mpo_check_pipe_relabel; - mpo_check_pipe_stat_t mpo_check_pipe_stat; - mpo_check_pipe_write_t mpo_check_pipe_write; - mpo_check_posix_sem_destroy_t mpo_check_posix_sem_destroy; - mpo_check_posix_sem_getvalue_t mpo_check_posix_sem_getvalue; - mpo_check_posix_sem_open_t mpo_check_posix_sem_open; - mpo_check_posix_sem_post_t mpo_check_posix_sem_post; - mpo_check_posix_sem_unlink_t mpo_check_posix_sem_unlink; - mpo_check_posix_sem_wait_t mpo_check_posix_sem_wait; - mpo_check_proc_debug_t mpo_check_proc_debug; - mpo_check_proc_sched_t mpo_check_proc_sched; - mpo_check_proc_setaudit_t mpo_check_proc_setaudit; - mpo_check_proc_setaudit_addr_t mpo_check_proc_setaudit_addr; - mpo_check_proc_setauid_t mpo_check_proc_setauid; - mpo_check_proc_setuid_t mpo_check_proc_setuid; - mpo_check_proc_seteuid_t mpo_check_proc_seteuid; - mpo_check_proc_setgid_t mpo_check_proc_setgid; - mpo_check_proc_setegid_t mpo_check_proc_setegid; - mpo_check_proc_setgroups_t mpo_check_proc_setgroups; - mpo_check_proc_setreuid_t mpo_check_proc_setreuid; - mpo_check_proc_setregid_t mpo_check_proc_setregid; - mpo_check_proc_setresuid_t mpo_check_proc_setresuid; - mpo_check_proc_setresgid_t mpo_check_proc_setresgid; - mpo_check_proc_signal_t mpo_check_proc_signal; - mpo_check_proc_wait_t mpo_check_proc_wait; - mpo_check_socket_accept_t mpo_check_socket_accept; - mpo_check_socket_bind_t mpo_check_socket_bind; - mpo_check_socket_connect_t mpo_check_socket_connect; - mpo_check_socket_create_t mpo_check_socket_create; - mpo_check_socket_deliver_t mpo_check_socket_deliver; + mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl; + mpo_pipe_check_poll_t mpo_pipe_check_poll; + mpo_pipe_check_read_t mpo_pipe_check_read; + mpo_pipe_check_relabel_t mpo_pipe_check_relabel; + mpo_pipe_check_stat_t mpo_pipe_check_stat; + mpo_pipe_check_write_t mpo_pipe_check_write; + mpo_posixsem_check_destroy_t mpo_posixsem_check_destroy; + mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue; + mpo_posixsem_check_open_t mpo_posixsem_check_open; + mpo_posixsem_check_post_t mpo_posixsem_check_post; + mpo_posixsem_check_unlink_t mpo_posixsem_check_unlink; + mpo_posixsem_check_wait_t mpo_posixsem_check_wait; + mpo_proc_check_debug_t mpo_proc_check_debug; + mpo_proc_check_sched_t mpo_proc_check_sched; + mpo_proc_check_setaudit_t mpo_proc_check_setaudit; + mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr; + mpo_proc_check_setauid_t mpo_proc_check_setauid; + mpo_proc_check_setuid_t mpo_proc_check_setuid; + mpo_proc_check_seteuid_t mpo_proc_check_seteuid; + mpo_proc_check_setgid_t mpo_proc_check_setgid; + mpo_proc_check_setegid_t mpo_proc_check_setegid; + mpo_proc_check_setgroups_t mpo_proc_check_setgroups; + mpo_proc_check_setreuid_t mpo_proc_check_setreuid; + mpo_proc_check_setregid_t mpo_proc_check_setregid; + mpo_proc_check_setresuid_t mpo_proc_check_setresuid; + mpo_proc_check_setresgid_t mpo_proc_check_setresgid; + mpo_proc_check_signal_t mpo_proc_check_signal; + mpo_proc_check_wait_t mpo_proc_check_wait; + mpo_socket_check_accept_t mpo_socket_check_accept; + mpo_socket_check_bind_t mpo_socket_check_bind; + mpo_socket_check_connect_t mpo_socket_check_connect; + mpo_socket_check_create_t mpo_socket_check_create; + mpo_socket_check_deliver_t mpo_socket_check_deliver; mpo_placeholder_t _mpo_placeholder22; - mpo_check_socket_listen_t mpo_check_socket_listen; - mpo_check_socket_poll_t mpo_check_socket_poll; - mpo_check_socket_receive_t mpo_check_socket_receive; - mpo_check_socket_relabel_t mpo_check_socket_relabel; - mpo_check_socket_send_t mpo_check_socket_send; - mpo_check_socket_stat_t mpo_check_socket_stat; - mpo_check_socket_visible_t mpo_check_socket_visible; - mpo_check_system_acct_t mpo_check_system_acct; - mpo_check_system_audit_t mpo_check_system_audit; - mpo_check_system_auditctl_t mpo_check_system_auditctl; - mpo_check_system_auditon_t mpo_check_system_auditon; - mpo_check_system_reboot_t mpo_check_system_reboot; - mpo_check_system_swapon_t mpo_check_system_swapon; - mpo_check_system_swapoff_t mpo_check_system_swapoff; - mpo_check_system_sysctl_t mpo_check_system_sysctl; + mpo_socket_check_listen_t mpo_socket_check_listen; + mpo_socket_check_poll_t mpo_socket_check_poll; + mpo_socket_check_receive_t mpo_socket_check_receive; + mpo_socket_check_relabel_t mpo_socket_check_relabel; + mpo_socket_check_send_t mpo_socket_check_send; + mpo_socket_check_stat_t mpo_socket_check_stat; + mpo_socket_check_visible_t mpo_socket_check_visible; + mpo_system_check_acct_t mpo_system_check_acct; + mpo_system_check_audit_t mpo_system_check_audit; + mpo_system_check_auditctl_t mpo_system_check_auditctl; + mpo_system_check_auditon_t mpo_system_check_auditon; + mpo_system_check_reboot_t mpo_system_check_reboot; + mpo_system_check_swapon_t mpo_system_check_swapon; + mpo_system_check_swapoff_t mpo_system_check_swapoff; + mpo_system_check_sysctl_t mpo_system_check_sysctl; mpo_placeholder_t _mpo_placeholder23; - mpo_check_vnode_access_t mpo_check_vnode_access; - mpo_check_vnode_chdir_t mpo_check_vnode_chdir; - mpo_check_vnode_chroot_t mpo_check_vnode_chroot; - mpo_check_vnode_create_t mpo_check_vnode_create; - mpo_check_vnode_deleteacl_t mpo_check_vnode_deleteacl; - mpo_check_vnode_deleteextattr_t mpo_check_vnode_deleteextattr; - mpo_check_vnode_exec_t mpo_check_vnode_exec; - mpo_check_vnode_getacl_t mpo_check_vnode_getacl; - mpo_check_vnode_getextattr_t mpo_check_vnode_getextattr; + mpo_vnode_check_access_t mpo_vnode_check_access; + mpo_vnode_check_chdir_t mpo_vnode_check_chdir; + mpo_vnode_check_chroot_t mpo_vnode_check_chroot; + mpo_vnode_check_create_t mpo_vnode_check_create; + mpo_vnode_check_deleteacl_t mpo_vnode_check_deleteacl; + mpo_vnode_check_deleteextattr_t mpo_vnode_check_deleteextattr; + mpo_vnode_check_exec_t mpo_vnode_check_exec; + mpo_vnode_check_getacl_t mpo_vnode_check_getacl; + mpo_vnode_check_getextattr_t mpo_vnode_check_getextattr; mpo_placeholder_t _mpo_placeholder24; - mpo_check_vnode_link_t mpo_check_vnode_link; - mpo_check_vnode_listextattr_t mpo_check_vnode_listextattr; - mpo_check_vnode_lookup_t mpo_check_vnode_lookup; - mpo_check_vnode_mmap_t mpo_check_vnode_mmap; - mpo_check_vnode_mmap_downgrade_t mpo_check_vnode_mmap_downgrade; - mpo_check_vnode_mprotect_t mpo_check_vnode_mprotect; - mpo_check_vnode_open_t mpo_check_vnode_open; - mpo_check_vnode_poll_t mpo_check_vnode_poll; - mpo_check_vnode_read_t mpo_check_vnode_read; - mpo_check_vnode_readdir_t mpo_check_vnode_readdir; - mpo_check_vnode_readlink_t mpo_check_vnode_readlink; - mpo_check_vnode_relabel_t mpo_check_vnode_relabel; - mpo_check_vnode_rename_from_t mpo_check_vnode_rename_from; - mpo_check_vnode_rename_to_t mpo_check_vnode_rename_to; - mpo_check_vnode_revoke_t mpo_check_vnode_revoke; - mpo_check_vnode_setacl_t mpo_check_vnode_setacl; - mpo_check_vnode_setextattr_t mpo_check_vnode_setextattr; - mpo_check_vnode_setflags_t mpo_check_vnode_setflags; - mpo_check_vnode_setmode_t mpo_check_vnode_setmode; - mpo_check_vnode_setowner_t mpo_check_vnode_setowner; - mpo_check_vnode_setutimes_t mpo_check_vnode_setutimes; - mpo_check_vnode_stat_t mpo_check_vnode_stat; - mpo_check_vnode_unlink_t mpo_check_vnode_unlink; - mpo_check_vnode_write_t mpo_check_vnode_write; + mpo_vnode_check_link_t mpo_vnode_check_link; + mpo_vnode_check_listextattr_t mpo_vnode_check_listextattr; + mpo_vnode_check_lookup_t mpo_vnode_check_lookup; + mpo_vnode_check_mmap_t mpo_vnode_check_mmap; + mpo_vnode_check_mmap_downgrade_t mpo_vnode_check_mmap_downgrade; + mpo_vnode_check_mprotect_t mpo_vnode_check_mprotect; + mpo_vnode_check_open_t mpo_vnode_check_open; + mpo_vnode_check_poll_t mpo_vnode_check_poll; + mpo_vnode_check_read_t mpo_vnode_check_read; + mpo_vnode_check_readdir_t mpo_vnode_check_readdir; + mpo_vnode_check_readlink_t mpo_vnode_check_readlink; + mpo_vnode_check_relabel_t mpo_vnode_check_relabel; + mpo_vnode_check_rename_from_t mpo_vnode_check_rename_from; + mpo_vnode_check_rename_to_t mpo_vnode_check_rename_to; + mpo_vnode_check_revoke_t mpo_vnode_check_revoke; + mpo_vnode_check_setacl_t mpo_vnode_check_setacl; + mpo_vnode_check_setextattr_t mpo_vnode_check_setextattr; + mpo_vnode_check_setflags_t mpo_vnode_check_setflags; + mpo_vnode_check_setmode_t mpo_vnode_check_setmode; + mpo_vnode_check_setowner_t mpo_vnode_check_setowner; + mpo_vnode_check_setutimes_t mpo_vnode_check_setutimes; + mpo_vnode_check_stat_t mpo_vnode_check_stat; + mpo_vnode_check_unlink_t mpo_vnode_check_unlink; + mpo_vnode_check_write_t mpo_vnode_check_write; mpo_associate_nfsd_label_t mpo_associate_nfsd_label; - mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; + mpo_mbuf_create_from_firewall_t mpo_mbuf_create_from_firewall; mpo_init_syncache_label_t mpo_init_syncache_label; mpo_destroy_syncache_label_t mpo_destroy_syncache_label; mpo_init_syncache_from_inpcb_t mpo_init_syncache_from_inpcb; diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index 103eab2..2ea3c72 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2003-2005 SPARTA, Inc. + * Copyright (c) 2003-2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +7,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -48,100 +51,100 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_policy.h> static struct label * -mac_posix_sem_label_alloc(void) +mac_posixsem_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_posix_sem_label, label); + MAC_PERFORM(posixsem_init_label, label); return (label); } void -mac_init_posix_sem(struct ksem *ks) +mac_posixsem_init(struct ksem *ks) { - ks->ks_label = mac_posix_sem_label_alloc(); + ks->ks_label = mac_posixsem_label_alloc(); } static void -mac_posix_sem_label_free(struct label *label) +mac_posixsem_label_free(struct label *label) { - MAC_PERFORM(destroy_posix_sem_label, label); + MAC_PERFORM(posixsem_destroy_label, label); } void -mac_destroy_posix_sem(struct ksem *ks) +mac_posixsem_destroy(struct ksem *ks) { - mac_posix_sem_label_free(ks->ks_label); + mac_posixsem_label_free(ks->ks_label); ks->ks_label = NULL; } void -mac_create_posix_sem(struct ucred *cred, struct ksem *ks) +mac_posixsem_create(struct ucred *cred, struct ksem *ks) { - MAC_PERFORM(create_posix_sem, cred, ks, ks->ks_label); + MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label); } int -mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_destroy, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_destroy, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_open(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_open, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_open, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_getvalue, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_getvalue, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_post(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_post, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_post, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_unlink, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_unlink, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_wait, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_wait, cred, ks, ks->ks_label); return (error); } diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index abba4a9..c6c5cd8 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 2005 Samy Al Bahra + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -13,6 +14,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -85,12 +89,12 @@ mac_cred_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_cred_label, label); + MAC_PERFORM(cred_init_label, label); return (label); } void -mac_init_cred(struct ucred *cred) +mac_cred_init(struct ucred *cred) { cred->cr_label = mac_cred_label_alloc(); @@ -102,12 +106,12 @@ mac_proc_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_proc_label, label); + MAC_PERFORM(proc_init_label, label); return (label); } void -mac_init_proc(struct proc *p) +mac_proc_init(struct proc *p) { p->p_label = mac_proc_label_alloc(); @@ -117,12 +121,12 @@ void mac_cred_label_free(struct label *label) { - MAC_PERFORM(destroy_cred_label, label); + MAC_PERFORM(cred_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_cred(struct ucred *cred) +mac_cred_destroy(struct ucred *cred) { mac_cred_label_free(cred->cr_label); @@ -133,12 +137,12 @@ static void mac_proc_label_free(struct label *label) { - MAC_PERFORM(destroy_proc_label, label); + MAC_PERFORM(proc_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_proc(struct proc *p) +mac_proc_destroy(struct proc *p) { mac_proc_label_free(p->p_label); @@ -146,7 +150,7 @@ mac_destroy_proc(struct proc *p) } int -mac_externalize_cred_label(struct label *label, char *elements, +mac_cred_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -157,7 +161,7 @@ mac_externalize_cred_label(struct label *label, char *elements, } int -mac_internalize_cred_label(struct label *label, char *string) +mac_cred_internalize_label(struct label *label, char *string) { int error; @@ -171,10 +175,10 @@ mac_internalize_cred_label(struct label *label, char *string) * processes and threads are spawned. */ void -mac_create_proc0(struct ucred *cred) +mac_proc_create_swapper(struct ucred *cred) { - MAC_PERFORM(create_proc0, cred); + MAC_PERFORM(proc_create_swapper, cred); } /* @@ -182,10 +186,10 @@ mac_create_proc0(struct ucred *cred) * userland processes and threads are spawned. */ void -mac_create_proc1(struct ucred *cred) +mac_proc_create_init(struct ucred *cred) { - MAC_PERFORM(create_proc1, cred); + MAC_PERFORM(proc_create_init, cred); } void @@ -201,10 +205,10 @@ mac_thread_userret(struct thread *td) * This function allows that processing to take place. */ void -mac_copy_cred(struct ucred *src, struct ucred *dest) +mac_cred_copy(struct ucred *src, struct ucred *dest) { - MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label); + MAC_PERFORM(cred_copy_label, src->cr_label, dest->cr_label); } int @@ -234,7 +238,7 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p) } label = mac_cred_label_alloc(); - error = mac_internalize_cred_label(label, buffer); + error = mac_cred_internalize_label(label, buffer); free(buffer, M_MACTEMP); if (error) { mac_cred_label_free(label); @@ -347,7 +351,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = vme->max_protection; - mac_check_vnode_mmap_downgrade(cred, vp, &result); + mac_vnode_check_mmap_downgrade(cred, vp, &result); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing now @@ -429,185 +433,185 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, * buffer cache. */ void -mac_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_cred_relabel(struct ucred *cred, struct label *newlabel) { - MAC_PERFORM(relabel_cred, cred, newlabel); + MAC_PERFORM(cred_relabel, cred, newlabel); } int -mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_cred_check_relabel(struct ucred *cred, struct label *newlabel) { int error; - MAC_CHECK(check_cred_relabel, cred, newlabel); + MAC_CHECK(cred_check_relabel, cred, newlabel); return (error); } int -mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { int error; - MAC_CHECK(check_cred_visible, cr1, cr2); + MAC_CHECK(cred_check_visible, cr1, cr2); return (error); } int -mac_check_proc_debug(struct ucred *cred, struct proc *p) +mac_proc_check_debug(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_debug, cred, p); + MAC_CHECK(proc_check_debug, cred, p); return (error); } int -mac_check_proc_sched(struct ucred *cred, struct proc *p) +mac_proc_check_sched(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_sched, cred, p); + MAC_CHECK(proc_check_sched, cred, p); return (error); } int -mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_signal, cred, p, signum); + MAC_CHECK(proc_check_signal, cred, p, signum); return (error); } int -mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid) +mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setuid, cred, uid); + MAC_CHECK(proc_check_setuid, cred, uid); return (error); } int -mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid) +mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_seteuid, cred, euid); + MAC_CHECK(proc_check_seteuid, cred, euid); return (error); } int -mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid) +mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setgid, cred, gid); + MAC_CHECK(proc_check_setgid, cred, gid); return (error); } int -mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid) +mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setegid, cred, egid); + MAC_CHECK(proc_check_setegid, cred, egid); return (error); } int -mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups, +mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset); + MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset); return (error); } int -mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, +mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setreuid, cred, ruid, euid); + MAC_CHECK(proc_check_setreuid, cred, ruid, euid); return (error); } int -mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, +mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); - MAC_CHECK(check_proc_setregid, cred, rgid, egid); + MAC_CHECK(proc_check_setregid, cred, rgid, egid); return (error); } int -mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, +mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid); + MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid); return (error); } int -mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, +mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); + MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid); return (error); } int -mac_check_proc_wait(struct ucred *cred, struct proc *p) +mac_proc_check_wait(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_wait, cred, p); + MAC_CHECK(proc_check_wait, cred, p); return (error); } diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 07722ad..37dfa3f 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -2,7 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -94,9 +94,9 @@ mac_socket_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_socket_label, label, flag); + MAC_CHECK(socket_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_socket_label, label); + MAC_PERFORM(socket_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -104,7 +104,7 @@ mac_socket_label_alloc(int flag) } static struct label * -mac_socket_peer_label_alloc(int flag) +mac_socketpeer_label_alloc(int flag) { struct label *label; int error; @@ -113,9 +113,9 @@ mac_socket_peer_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_socket_peer_label, label, flag); + MAC_CHECK(socketpeer_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_socket_peer_label, label); + MAC_PERFORM(socketpeer_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -123,13 +123,13 @@ mac_socket_peer_label_alloc(int flag) } int -mac_init_socket(struct socket *so, int flag) +mac_socket_init(struct socket *so, int flag) { so->so_label = mac_socket_label_alloc(flag); if (so->so_label == NULL) return (ENOMEM); - so->so_peerlabel = mac_socket_peer_label_alloc(flag); + so->so_peerlabel = mac_socketpeer_label_alloc(flag); if (so->so_peerlabel == NULL) { mac_socket_label_free(so->so_label); so->so_label = NULL; @@ -142,37 +142,37 @@ void mac_socket_label_free(struct label *label) { - MAC_PERFORM(destroy_socket_label, label); + MAC_PERFORM(socket_destroy_label, label); mac_labelzone_free(label); } static void -mac_socket_peer_label_free(struct label *label) +mac_socketpeer_label_free(struct label *label) { - MAC_PERFORM(destroy_socket_peer_label, label); + MAC_PERFORM(socketpeer_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_socket(struct socket *so) +mac_socket_destroy(struct socket *so) { mac_socket_label_free(so->so_label); so->so_label = NULL; - mac_socket_peer_label_free(so->so_peerlabel); + mac_socketpeer_label_free(so->so_peerlabel); so->so_peerlabel = NULL; } void -mac_copy_socket_label(struct label *src, struct label *dest) +mac_socket_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_socket_label, src, dest); + MAC_PERFORM(socket_copy_label, src, dest); } int -mac_externalize_socket_label(struct label *label, char *elements, +mac_socket_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -183,18 +183,18 @@ mac_externalize_socket_label(struct label *label, char *elements, } static int -mac_externalize_socket_peer_label(struct label *label, char *elements, +mac_socketpeer_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; - MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen); + MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen); return (error); } int -mac_internalize_socket_label(struct label *label, char *string) +mac_socket_internalize_label(struct label *label, char *string) { int error; @@ -204,34 +204,34 @@ mac_internalize_socket_label(struct label *label, char *string) } void -mac_create_socket(struct ucred *cred, struct socket *so) +mac_socket_create(struct ucred *cred, struct socket *so) { - MAC_PERFORM(create_socket, cred, so, so->so_label); + MAC_PERFORM(socket_create, cred, so, so->so_label); } void -mac_create_socket_from_socket(struct socket *oldso, struct socket *newso) +mac_socket_newconn(struct socket *oldso, struct socket *newso) { SOCK_LOCK_ASSERT(oldso); - MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso, + MAC_PERFORM(socket_newconn, oldso, oldso->so_label, newso, newso->so_label); } static void -mac_relabel_socket(struct ucred *cred, struct socket *so, +mac_socket_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) { SOCK_LOCK_ASSERT(so); - MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel); + MAC_PERFORM(socket_relabel, cred, so, so->so_label, newlabel); } void -mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) +mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so) { struct label *label; @@ -239,12 +239,12 @@ mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) label = mac_mbuf_to_label(m); - MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so, + MAC_PERFORM(socketpeer_set_from_mbuf, m, label, so, so->so_peerlabel); } void -mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) +mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso) { /* @@ -252,12 +252,12 @@ mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) * is the original, and one is the new. However, it's called in both * directions, so we can't assert the lock here currently. */ - MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label, + MAC_PERFORM(socketpeer_set_from_socket, oldso, oldso->so_label, newso, newso->so_peerlabel); } void -mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) +mac_socket_create_mbuf(struct socket *so, struct mbuf *m) { struct label *label; @@ -265,59 +265,59 @@ mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label); + MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label); } int -mac_check_socket_accept(struct ucred *cred, struct socket *so) +mac_socket_check_accept(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_accept, cred, so, so->so_label); + MAC_CHECK(socket_check_accept, cred, so, so->so_label); return (error); } int -mac_check_socket_bind(struct ucred *ucred, struct socket *so, +mac_socket_check_bind(struct ucred *ucred, struct socket *so, struct sockaddr *sa) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa); + MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa); return (error); } int -mac_check_socket_connect(struct ucred *cred, struct socket *so, +mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa); + MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa); return (error); } int -mac_check_socket_create(struct ucred *cred, int domain, int type, int proto) +mac_socket_check_create(struct ucred *cred, int domain, int type, int proto) { int error; - MAC_CHECK(check_socket_create, cred, domain, type, proto); + MAC_CHECK(socket_check_create, cred, domain, type, proto); return (error); } int -mac_check_socket_deliver(struct socket *so, struct mbuf *m) +mac_socket_check_deliver(struct socket *so, struct mbuf *m) { struct label *label; int error; @@ -326,92 +326,92 @@ mac_check_socket_deliver(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_CHECK(check_socket_deliver, so, so->so_label, m, label); + MAC_CHECK(socket_check_deliver, so, so->so_label, m, label); return (error); } int -mac_check_socket_listen(struct ucred *cred, struct socket *so) +mac_socket_check_listen(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_listen, cred, so, so->so_label); + MAC_CHECK(socket_check_listen, cred, so, so->so_label); return (error); } int -mac_check_socket_poll(struct ucred *cred, struct socket *so) +mac_socket_check_poll(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_poll, cred, so, so->so_label); + MAC_CHECK(socket_check_poll, cred, so, so->so_label); return (error); } int -mac_check_socket_receive(struct ucred *cred, struct socket *so) +mac_socket_check_receive(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_receive, cred, so, so->so_label); + MAC_CHECK(socket_check_receive, cred, so, so->so_label); return (error); } static int -mac_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel); + MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel); return (error); } int -mac_check_socket_send(struct ucred *cred, struct socket *so) +mac_socket_check_send(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_send, cred, so, so->so_label); + MAC_CHECK(socket_check_send, cred, so, so->so_label); return (error); } int -mac_check_socket_stat(struct ucred *cred, struct socket *so) +mac_socket_check_stat(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_stat, cred, so, so->so_label); + MAC_CHECK(socket_check_stat, cred, so, so->so_label); return (error); } int -mac_check_socket_visible(struct ucred *cred, struct socket *so) +mac_socket_check_visible(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_visible, cred, so, so->so_label); + MAC_CHECK(socket_check_visible, cred, so, so->so_label); return (error); } @@ -431,13 +431,13 @@ mac_socket_label_set(struct ucred *cred, struct socket *so, * acquire the socket lock before refreshing, holding both locks. */ SOCK_LOCK(so); - error = mac_check_socket_relabel(cred, so, label); + error = mac_socket_check_relabel(cred, so, label); if (error) { SOCK_UNLOCK(so); return (error); } - mac_relabel_socket(cred, so, label); + mac_socket_relabel(cred, so, label); SOCK_UNLOCK(so); /* @@ -471,7 +471,7 @@ mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) } intlabel = mac_socket_label_alloc(M_WAITOK); - error = mac_internalize_socket_label(intlabel, buffer); + error = mac_socket_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -503,9 +503,9 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_label, intlabel); + mac_socket_copy_label(so->so_label, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_label(intlabel, elements, buffer, + error = mac_socket_externalize_label(intlabel, elements, buffer, mac->m_buflen); mac_socket_label_free(intlabel); if (error == 0) @@ -539,9 +539,9 @@ mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_peerlabel, intlabel); + mac_socket_copy_label(so->so_peerlabel, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_peer_label(intlabel, elements, buffer, + error = mac_socketpeer_externalize_label(intlabel, elements, buffer, mac->m_buflen); mac_socket_label_free(intlabel); if (error == 0) diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index cda98c2..0c41c78 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -105,7 +105,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(tcred->cr_label, elements, + error = mac_cred_externalize_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -139,7 +139,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(td->td_ucred->cr_label, + error = mac_cred_externalize_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -175,7 +175,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) } intlabel = mac_cred_label_alloc(); - error = mac_internalize_cred_label(intlabel, buffer); + error = mac_cred_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -186,7 +186,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, intlabel); + error = mac_cred_check_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -195,7 +195,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, intlabel); + mac_cred_relabel(newcred, intlabel); p->p_ucred = newcred; /* @@ -256,10 +256,10 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(vp->v_label, intlabel); + mac_vnode_copy_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); VFS_UNLOCK_GIANT(vfslocked); - error = mac_externalize_vnode_label(intlabel, elements, + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_vnode_label_free(intlabel); break; @@ -268,9 +268,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) pipe = fp->f_data; intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_pair->pp_label, intlabel); + mac_pipe_copy_label(pipe->pipe_pair->pp_label, intlabel); PIPE_UNLOCK(pipe); - error = mac_externalize_pipe_label(intlabel, elements, + error = mac_pipe_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_pipe_label_free(intlabel); break; @@ -279,9 +279,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) so = fp->f_data; intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_label, intlabel); + mac_socket_copy_label(so->so_label, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_label(intlabel, elements, + error = mac_socket_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_socket_label_free(intlabel); break; @@ -332,8 +332,8 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = NDHASGIANT(&nd); - mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); - error = mac_externalize_vnode_label(intlabel, elements, buffer, + mac_vnode_copy_label(nd.ni_vp->v_label, intlabel); + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); @@ -382,8 +382,8 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = NDHASGIANT(&nd); - mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); - error = mac_externalize_vnode_label(intlabel, elements, buffer, + mac_vnode_copy_label(nd.ni_vp->v_label, intlabel); + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); VFS_UNLOCK_GIANT(vfslocked); @@ -435,7 +435,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); if (error) { mac_vnode_label_free(intlabel); break; @@ -458,7 +458,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_PIPE: intlabel = mac_pipe_label_alloc(); - error = mac_internalize_pipe_label(intlabel, buffer); + error = mac_pipe_internalize_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); @@ -471,7 +471,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_SOCKET: intlabel = mac_socket_label_alloc(M_WAITOK); - error = mac_internalize_socket_label(intlabel, buffer); + error = mac_socket_internalize_label(intlabel, buffer); if (error == 0) { so = fp->f_data; error = mac_socket_label_set(td->td_ucred, so, @@ -515,7 +515,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) } intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -566,7 +566,7 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) } intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 380466e..588e019 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2007 Robert N. M. Watson * All rights reserved. * @@ -11,6 +12,9 @@ * Portions of this software were developed by Robert Watson for the * TrustedBSD Project. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -63,116 +67,116 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_policy.h> int -mac_check_kenv_dump(struct ucred *cred) +mac_kenv_check_dump(struct ucred *cred) { int error; - MAC_CHECK(check_kenv_dump, cred); + MAC_CHECK(kenv_check_dump, cred); return (error); } int -mac_check_kenv_get(struct ucred *cred, char *name) +mac_kenv_check_get(struct ucred *cred, char *name) { int error; - MAC_CHECK(check_kenv_get, cred, name); + MAC_CHECK(kenv_check_get, cred, name); return (error); } int -mac_check_kenv_set(struct ucred *cred, char *name, char *value) +mac_kenv_check_set(struct ucred *cred, char *name, char *value) { int error; - MAC_CHECK(check_kenv_set, cred, name, value); + MAC_CHECK(kenv_check_set, cred, name, value); return (error); } int -mac_check_kenv_unset(struct ucred *cred, char *name) +mac_kenv_check_unset(struct ucred *cred, char *name) { int error; - MAC_CHECK(check_kenv_unset, cred, name); + MAC_CHECK(kenv_check_unset, cred, name); return (error); } int -mac_check_kld_load(struct ucred *cred, struct vnode *vp) +mac_kld_check_load(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + ASSERT_VOP_LOCKED(vp, "mac_kld_check_load"); - MAC_CHECK(check_kld_load, cred, vp, vp->v_label); + MAC_CHECK(kld_check_load, cred, vp, vp->v_label); return (error); } int -mac_check_kld_stat(struct ucred *cred) +mac_kld_check_stat(struct ucred *cred) { int error; - MAC_CHECK(check_kld_stat, cred); + MAC_CHECK(kld_check_stat, cred); return (error); } int -mac_check_system_acct(struct ucred *cred, struct vnode *vp) +mac_system_check_acct(struct ucred *cred, struct vnode *vp) { int error; if (vp != NULL) { - ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_acct"); } - MAC_CHECK(check_system_acct, cred, vp, + MAC_CHECK(system_check_acct, cred, vp, vp != NULL ? vp->v_label : NULL); return (error); } int -mac_check_system_reboot(struct ucred *cred, int howto) +mac_system_check_reboot(struct ucred *cred, int howto) { int error; - MAC_CHECK(check_system_reboot, cred, howto); + MAC_CHECK(system_check_reboot, cred, howto); return (error); } int -mac_check_system_swapon(struct ucred *cred, struct vnode *vp) +mac_system_check_swapon(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon"); - MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); + MAC_CHECK(system_check_swapon, cred, vp, vp->v_label); return (error); } int -mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +mac_system_check_swapoff(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff"); - MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); + MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label); return (error); } int -mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { int error; @@ -181,7 +185,7 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, * but since it's not exported from kern_sysctl.c, we can't. */ - MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); + MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req); return (error); } diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c index 054614b..5db6270 100644 --- a/sys/security/mac/mac_sysv_msg.c +++ b/sys/security/mac/mac_sysv_msg.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_msgmsg_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_msgmsg_label, label); + MAC_PERFORM(sysvmsg_init_label, label); return (label); } void -mac_init_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_init(struct msg *msgptr) { msgptr->label = mac_sysv_msgmsg_label_alloc(); @@ -75,12 +79,12 @@ mac_sysv_msgqueue_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_msgqueue_label, label); + MAC_PERFORM(sysvmsq_init_label, label); return (label); } void -mac_init_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_init(struct msqid_kernel *msqkptr) { msqkptr->label = mac_sysv_msgqueue_label_alloc(); @@ -90,12 +94,12 @@ static void mac_sysv_msgmsg_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_msgmsg_label, label); + MAC_PERFORM(sysvmsg_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_destroy(struct msg *msgptr) { mac_sysv_msgmsg_label_free(msgptr->label); @@ -106,12 +110,12 @@ static void mac_sysv_msgqueue_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_msgqueue_label, label); + MAC_PERFORM(sysvmsq_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_destroy(struct msqid_kernel *msqkptr) { mac_sysv_msgqueue_label_free(msqkptr->label); @@ -119,104 +123,104 @@ mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr) } void -mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct msg *msgptr) { - MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label, + MAC_PERFORM(sysvmsg_create, cred, msqkptr, msqkptr->label, msgptr, msgptr->label); } void -mac_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr) { - MAC_PERFORM(create_sysv_msgqueue, cred, msqkptr, msqkptr->label); + MAC_PERFORM(sysvmsq_create, cred, msqkptr, msqkptr->label); } void -mac_cleanup_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_cleanup(struct msg *msgptr) { - MAC_PERFORM(cleanup_sysv_msgmsg, msgptr->label); + MAC_PERFORM(sysvmsg_cleanup, msgptr->label); } void -mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr) { - MAC_PERFORM(cleanup_sysv_msgqueue, msqkptr->label); + MAC_PERFORM(sysvmsq_cleanup, msqkptr->label); } int -mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr, - msqkptr->label); + MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label, + msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr) +mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr) { int error; - MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label); + MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label); return (error); } int -mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr) +mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr) { int error; - MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label); + MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label); return (error); } int -mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqget, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqsnd, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqrcv, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd) { int error; - MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd); + MAC_CHECK(sysvmsq_check_msqctl, cred, msqkptr, msqkptr->label, cmd); return (error); } diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c index e77331e..5f7c4f9 100644 --- a/sys/security/mac/mac_sysv_sem.c +++ b/sys/security/mac/mac_sysv_sem.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_sem_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_sem_label, label); + MAC_PERFORM(sysvsem_init_label, label); return (label); } void -mac_init_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_init(struct semid_kernel *semakptr) { semakptr->label = mac_sysv_sem_label_alloc(); @@ -73,12 +77,12 @@ static void mac_sysv_sem_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_sem_label, label); + MAC_PERFORM(sysvsem_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_destroy(struct semid_kernel *semakptr) { mac_sysv_sem_label_free(semakptr->label); @@ -86,47 +90,48 @@ mac_destroy_sysv_sem(struct semid_kernel *semakptr) } void -mac_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr) +mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr) { - MAC_PERFORM(create_sysv_sem, cred, semakptr, semakptr->label); + MAC_PERFORM(sysvsem_create, cred, semakptr, semakptr->label); } void -mac_cleanup_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_cleanup(struct semid_kernel *semakptr) { - MAC_PERFORM(cleanup_sysv_sem, semakptr->label); + MAC_PERFORM(sysvsem_cleanup, semakptr->label); } int -mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, +mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd) { int error; - MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd); + MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label, + cmd); return (error); } int -mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr) +mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr) { int error; - MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label); + MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label); return (error); } int -mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, +mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, size_t accesstype) { int error; - MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label, + MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label, accesstype); return (error); diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c index 6cabeb4..05ec1e1 100644 --- a/sys/security/mac/mac_sysv_shm.c +++ b/sys/security/mac/mac_sysv_shm.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_shm_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_shm_label, label); + MAC_PERFORM(sysvshm_init_label, label); return (label); } void -mac_init_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_init(struct shmid_kernel *shmsegptr) { shmsegptr->label = mac_sysv_shm_label_alloc(); @@ -73,12 +77,12 @@ static void mac_sysv_shm_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_shm_label, label); + MAC_PERFORM(sysvshm_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_destroy(struct shmid_kernel *shmsegptr) { mac_sysv_shm_label_free(shmsegptr->label); @@ -86,60 +90,60 @@ mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr) } void -mac_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr) +mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr) { - MAC_PERFORM(create_sysv_shm, cred, shmsegptr, shmsegptr->label); + MAC_PERFORM(sysvshm_create, cred, shmsegptr, shmsegptr->label); } void -mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr) { - MAC_PERFORM(cleanup_sysv_shm, shmsegptr->label); + MAC_PERFORM(sysvshm_cleanup, shmsegptr->label); } int -mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) { int error; - MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label, shmflg); return (error); } int -mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd) { int error; - MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label, cmd); return (error); } int -mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) +mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { int error; - MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label); + MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label); return (error); } int -mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) { int error; - MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label, shmflg); return (error); diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index ad6a0e6..d6546f6 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$"); */ static int ea_warn_once = 0; -static int mac_setlabel_vnode_extattr(struct ucred *cred, +static int mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); static struct label * @@ -86,12 +86,12 @@ mac_devfs_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_devfs_label, label); + MAC_PERFORM(devfs_init_label, label); return (label); } void -mac_init_devfs(struct devfs_dirent *de) +mac_devfs_init(struct devfs_dirent *de) { de->de_label = mac_devfs_label_alloc(); @@ -103,12 +103,12 @@ mac_mount_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_mount_label, label); + MAC_PERFORM(mount_init_label, label); return (label); } void -mac_init_mount(struct mount *mp) +mac_mount_init(struct mount *mp) { mp->mnt_label = mac_mount_label_alloc(); @@ -120,12 +120,12 @@ mac_vnode_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_vnode_label, label); + MAC_PERFORM(vnode_init_label, label); return (label); } void -mac_init_vnode(struct vnode *vp) +mac_vnode_init(struct vnode *vp) { vp->v_label = mac_vnode_label_alloc(); @@ -135,12 +135,12 @@ static void mac_devfs_label_free(struct label *label) { - MAC_PERFORM(destroy_devfs_label, label); + MAC_PERFORM(devfs_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_devfs(struct devfs_dirent *de) +mac_devfs_destroy(struct devfs_dirent *de) { mac_devfs_label_free(de->de_label); @@ -151,12 +151,12 @@ static void mac_mount_label_free(struct label *label) { - MAC_PERFORM(destroy_mount_label, label); + MAC_PERFORM(mount_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_mount(struct mount *mp) +mac_mount_destroy(struct mount *mp) { mac_mount_label_free(mp->mnt_label); @@ -167,12 +167,12 @@ void mac_vnode_label_free(struct label *label) { - MAC_PERFORM(destroy_vnode_label, label); + MAC_PERFORM(vnode_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_vnode(struct vnode *vp) +mac_vnode_destroy(struct vnode *vp) { mac_vnode_label_free(vp->v_label); @@ -180,14 +180,14 @@ mac_destroy_vnode(struct vnode *vp) } void -mac_copy_vnode_label(struct label *src, struct label *dest) +mac_vnode_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_vnode_label, src, dest); + MAC_PERFORM(vnode_copy_label, src, dest); } int -mac_externalize_vnode_label(struct label *label, char *elements, +mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -198,7 +198,7 @@ mac_externalize_vnode_label(struct label *label, char *elements, } int -mac_internalize_vnode_label(struct label *label, char *string) +mac_vnode_internalize_label(struct label *label, char *string) { int error; @@ -208,39 +208,39 @@ mac_internalize_vnode_label(struct label *label, char *string) } void -mac_update_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) +mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(update_devfs, mp, de, de->de_label, vp, vp->v_label); + MAC_PERFORM(devfs_update, mp, de, de->de_label, vp, vp->v_label); } void -mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, +mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de, + MAC_PERFORM(devfs_vnode_associate, mp, mp->mnt_label, de, de->de_label, vp, vp->v_label); } int -mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) +mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr"); - MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp, + MAC_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp, vp->v_label); return (error); } void -mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) +mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp) { - MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp, + MAC_PERFORM(vnode_associate_singlelabel, mp, mp->mnt_label, vp, vp->v_label); } @@ -254,13 +254,13 @@ mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) * printf warning. */ int -mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr"); - ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { @@ -272,7 +272,7 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } else if (error) return (error); - MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp, + MAC_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp, dvp->v_label, vp, vp->v_label, cnp); if (error) { @@ -288,12 +288,12 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel) { int error; - ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { @@ -305,7 +305,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } else if (error) return (error); - MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel); + MAC_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label, intlabel); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -320,487 +320,488 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } void -mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp) +mac_vnode_execve_transition(struct ucred *old, struct ucred *new, + struct vnode *vp, struct label *interpvnodelabel, + struct image_params *imgp) { - ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition"); - MAC_PERFORM(execve_transition, old, new, vp, vp->v_label, + MAC_PERFORM(vnode_execve_transition, old, new, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); } int -mac_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp) { int result; - ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition"); result = 0; - MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label, + MAC_BOOLEAN(vnode_execve_will_transition, ||, old, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); return (result); } int -mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access"); - MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, acc_mode); return (error); } int -mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir"); - MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot"); - MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create"); - MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap); + MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap); return (error); } int -mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl"); - MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type); + MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type); return (error); } int -mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr"); - MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); return (error); } int -mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec"); - MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp, + MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); return (error); } int -mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) +mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl"); - MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type); + MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type); return (error); } int -mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr"); - MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link"); - MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr"); - MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label, attrnamespace); return (error); } int -mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup"); - MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp); + MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp); return (error); } int -mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap"); - MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags); + MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags); return (error); } void -mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) +mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) { int result = *prot; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade"); - MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label, + MAC_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label, &result); *prot = result; } int -mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) +mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect"); - MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot); + MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open"); - MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode); return (error); } int -mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll"); - MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read"); - MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_read, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir"); - MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) +mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink"); - MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label); + MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label); return (error); } static int -mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel"); - MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel); + MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel); return (error); } int -mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from"); - MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to"); - MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp, vp != NULL ? vp->v_label : NULL, samedir, cnp); return (error); } int -mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) +mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke"); - MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label); + MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label); return (error); } int -mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, +mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl"); - MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl); + MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl); return (error); } int -mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr"); - MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) +mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags"); - MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags); + MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags); return (error); } int -mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) +mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode"); - MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode); + MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode); return (error); } int -mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, +mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner"); - MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid); + MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid); return (error); } int -mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes"); - MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime, + MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime, mtime); return (error); } int -mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat"); - MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, +mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_unlink"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_unlink"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink"); - MAC_CHECK(check_vnode_unlink, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write"); - MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_write, active_cred, file_cred, vp, vp->v_label); return (error); } void -mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) +mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { - MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel); + MAC_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel); } void -mac_create_mount(struct ucred *cred, struct mount *mp) +mac_mount_create(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_mount, cred, mp, mp->mnt_label); + MAC_PERFORM(mount_create, cred, mp, mp->mnt_label); } int -mac_check_mount_stat(struct ucred *cred, struct mount *mount) +mac_mount_check_stat(struct ucred *cred, struct mount *mount) { int error; - MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label); + MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label); return (error); } void -mac_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label); + MAC_PERFORM(devfs_create_device, cred, mp, dev, de, de->de_label); } void -mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de, + MAC_PERFORM(devfs_create_symlink, cred, mp, dd, dd->de_label, de, de->de_label); } void -mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, +mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, + MAC_PERFORM(devfs_create_directory, mp, dirname, dirnamelen, de, de->de_label); } @@ -821,11 +822,11 @@ vop_stdsetlabel_ea(struct vop_setlabel_args *ap) if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); - error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel); + error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel); if (error) return (error); - mac_relabel_vnode(ap->a_cred, vp, intlabel); + mac_vnode_relabel(ap->a_cred, vp, intlabel); return (0); } @@ -853,7 +854,7 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) * Question: maybe the filesystem should update the vnode at the end * as part of VOP_SETLABEL()? */ - error = mac_check_vnode_relabel(cred, vp, intlabel); + error = mac_vnode_check_relabel(cred, vp, intlabel); if (error) return (error); diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 5a87aee..2b66972 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -783,7 +787,7 @@ mac_biba_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_biba_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_biba *mac_biba; @@ -805,7 +809,7 @@ mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_biba_create_devfs_directory(struct mount *mp, char *dirname, +mac_biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_biba *mac_biba; @@ -815,7 +819,7 @@ mac_biba_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_biba_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -828,7 +832,7 @@ mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_biba_create_mount(struct ucred *cred, struct mount *mp, +mac_biba_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_biba *source, *dest; @@ -839,7 +843,7 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -851,7 +855,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_biba_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_biba_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_biba *source, *dest; @@ -863,7 +867,7 @@ mac_biba_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, +mac_biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -876,7 +880,7 @@ mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, } static int -mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_biba temp, *source, *dest; @@ -898,16 +902,16 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, return (error); if (buflen != sizeof(temp)) { - printf("mac_biba_associate_vnode_extattr: bad size %d\n", + printf("mac_biba_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } if (mac_biba_valid(&temp) != 0) { - printf("mac_biba_associate_vnode_extattr: invalid\n"); + printf("mac_biba_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_EFFECTIVE) { - printf("mac_biba_associate_vnode_extattr: not effective\n"); + printf("mac_biba_vnode_associate_extattr: not effective\n"); return (EPERM); } @@ -916,7 +920,7 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_biba_associate_vnode_singlelabel(struct mount *mp, +mac_biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_biba *source, *dest; @@ -928,7 +932,7 @@ mac_biba_associate_vnode_singlelabel(struct mount *mp, } static int -mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_biba_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -951,7 +955,7 @@ mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_biba *source, temp; @@ -976,7 +980,7 @@ mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_biba_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_biba *source, *dest; @@ -988,7 +992,7 @@ mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_biba_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_biba_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1000,7 +1004,7 @@ mac_biba_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_biba_create_socket(struct ucred *cred, struct socket *so, +mac_biba_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_biba *source, *dest; @@ -1012,7 +1016,7 @@ mac_biba_create_socket(struct ucred *cred, struct socket *so, } static void -mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *source, *dest; @@ -1024,7 +1028,7 @@ mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *source, *dest; @@ -1036,8 +1040,8 @@ mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ks, } static void -mac_biba_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_biba_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_biba *source, *dest; @@ -1048,7 +1052,7 @@ mac_biba_create_socket_from_socket(struct socket *oldso, } static void -mac_biba_relabel_socket(struct ucred *cred, struct socket *so, +mac_biba_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1060,7 +1064,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1072,7 +1076,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_biba *source, *dest; @@ -1087,7 +1091,7 @@ mac_biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: System V IPC objects. */ static void -mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { struct mac_biba *source, *dest; @@ -1100,7 +1104,7 @@ mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_biba_create_sysv_msgqueue(struct ucred *cred, +mac_biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { struct mac_biba *source, *dest; @@ -1112,7 +1116,7 @@ mac_biba_create_sysv_msgqueue(struct ucred *cred, } static void -mac_biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { struct mac_biba *source, *dest; @@ -1124,7 +1128,7 @@ mac_biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, } static void -mac_biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { struct mac_biba *source, *dest; @@ -1139,7 +1143,7 @@ mac_biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, * Labeling event operations: network objects. */ static void -mac_biba_set_socket_peer_from_socket(struct socket *oldso, +mac_biba_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1152,7 +1156,7 @@ mac_biba_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_biba *source, *dest; @@ -1164,7 +1168,7 @@ mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_biba_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { char tifname[IFNAMSIZ], *p, *q; char tiflist[sizeof(trusted_interfaces)]; @@ -1221,7 +1225,7 @@ set: } static void -mac_biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_biba *source, *dest; @@ -1233,7 +1237,7 @@ mac_biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_biba_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1246,7 +1250,7 @@ mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_biba_create_fragment(struct mbuf *m, struct label *mlabel, +mac_biba_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_biba *source, *dest; @@ -1258,7 +1262,7 @@ mac_biba_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1281,7 +1285,7 @@ mac_biba_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1293,7 +1297,7 @@ mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1305,7 +1309,7 @@ mac_biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_biba_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1318,7 +1322,7 @@ mac_biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_biba_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *newm, struct label *mnewlabel) { struct mac_biba *source, *dest; @@ -1330,8 +1334,8 @@ mac_biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_biba_fragment_match(struct mbuf *m, struct label *mlabel, - struct ipq *ipq, struct label *ipqlabel) +mac_biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, + struct label *ipqlabel) { struct mac_biba *a, *b; @@ -1342,7 +1346,7 @@ mac_biba_fragment_match(struct mbuf *m, struct label *mlabel, } static void -mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1354,7 +1358,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_biba_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1374,7 +1378,7 @@ mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void -mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label) +mac_biba_mbuf_create_from_firewall(struct mbuf *m, struct label *label) { struct mac_biba *dest; @@ -1388,7 +1392,7 @@ mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label) * Labeling event operations: processes. */ static void -mac_biba_create_proc0(struct ucred *cred) +mac_biba_proc_create_swapper(struct ucred *cred) { struct mac_biba *dest; @@ -1400,7 +1404,7 @@ mac_biba_create_proc0(struct ucred *cred) } static void -mac_biba_create_proc1(struct ucred *cred) +mac_biba_proc_create_init(struct ucred *cred) { struct mac_biba *dest; @@ -1412,7 +1416,7 @@ mac_biba_create_proc1(struct ucred *cred) } static void -mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_biba_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1426,28 +1430,28 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) * Label cleanup/flush operations */ static void -mac_biba_cleanup_sysv_msgmsg(struct label *msglabel) +mac_biba_sysvmsg_cleanup(struct label *msglabel) { bzero(SLOT(msglabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_biba_sysvmsq_cleanup(struct label *msqlabel) { bzero(SLOT(msqlabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_sem(struct label *semalabel) +mac_biba_sysvsem_cleanup(struct label *semalabel) { bzero(SLOT(semalabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_shm(struct label *shmlabel) +mac_biba_sysvshm_cleanup(struct label *shmlabel) { bzero(SLOT(shmlabel), sizeof(struct mac_biba)); } @@ -1456,7 +1460,7 @@ mac_biba_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -mac_biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_biba *a, *b; @@ -1473,7 +1477,7 @@ mac_biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *subj, *new; int error; @@ -1535,7 +1539,7 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_biba_cred_check_visible(struct ucred *u1, struct ucred *u2) { struct mac_biba *subj, *obj; @@ -1553,7 +1557,7 @@ mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) } static int -mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_biba *subj, *new; @@ -1581,7 +1585,7 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *i; @@ -1596,7 +1600,7 @@ mac_biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *i; @@ -1611,7 +1615,7 @@ mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_biba *subj, *obj; @@ -1629,7 +1633,7 @@ mac_biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, } static int -mac_biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_biba *subj, *obj; @@ -1647,8 +1651,8 @@ mac_biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, } static int -mac_biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1665,8 +1669,8 @@ mac_biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1683,8 +1687,8 @@ mac_biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1702,8 +1706,8 @@ mac_biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, static int -mac_biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_biba_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { struct mac_biba *subj, *obj; @@ -1733,8 +1737,8 @@ mac_biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_biba_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { struct mac_biba *subj, *obj; @@ -1771,8 +1775,8 @@ mac_biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_biba_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { struct mac_biba *subj, *obj; @@ -1790,8 +1794,9 @@ mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, static int -mac_biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_biba_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, + size_t accesstype) { struct mac_biba *subj, *obj; @@ -1813,8 +1818,8 @@ mac_biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_biba_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_biba *subj, *obj; @@ -1835,8 +1840,8 @@ mac_biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_biba_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { struct mac_biba *subj, *obj; @@ -1867,8 +1872,8 @@ mac_biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_biba_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_biba *subj, *obj; @@ -1885,7 +1890,7 @@ mac_biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_biba_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -1908,7 +1913,7 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_biba_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_biba *subj, *obj; @@ -1926,7 +1931,7 @@ mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1939,7 +1944,7 @@ mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -1957,7 +1962,7 @@ mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -1975,7 +1980,7 @@ mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; @@ -2026,7 +2031,7 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -2044,7 +2049,7 @@ mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -2062,7 +2067,7 @@ mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; @@ -2080,7 +2085,7 @@ mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks, } static int -mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; @@ -2098,7 +2103,7 @@ mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, } static int -mac_biba_check_proc_debug(struct ucred *cred, struct proc *p) +mac_biba_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -2118,7 +2123,7 @@ mac_biba_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_biba_check_proc_sched(struct ucred *cred, struct proc *p) +mac_biba_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -2138,7 +2143,7 @@ mac_biba_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_biba *subj, *obj; @@ -2158,7 +2163,7 @@ mac_biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_biba_check_socket_deliver(struct socket *so, struct label *solabel, +mac_biba_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *s; @@ -2173,7 +2178,7 @@ mac_biba_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_biba_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; @@ -2224,7 +2229,7 @@ mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_biba_check_socket_visible(struct ucred *cred, struct socket *so, +mac_biba_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_biba *subj, *obj; @@ -2431,7 +2436,7 @@ mac_biba_priv_check(struct ucred *cred, int priv) } static int -mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2457,7 +2462,7 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2483,7 +2488,7 @@ mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_auditon(struct ucred *cred, int cmd) +mac_biba_system_check_auditon(struct ucred *cred, int cmd) { struct mac_biba *subj; int error; @@ -2501,7 +2506,7 @@ mac_biba_check_system_auditon(struct ucred *cred, int cmd) } static int -mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2524,7 +2529,7 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_biba *subj; @@ -2543,7 +2548,7 @@ mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { struct mac_biba *subj; @@ -2571,7 +2576,7 @@ mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2589,7 +2594,7 @@ mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2607,7 +2612,7 @@ mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_biba *subj, *obj; @@ -2625,7 +2630,7 @@ mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_biba *subj, *obj; @@ -2643,7 +2648,7 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { struct mac_biba *subj, *obj; @@ -2661,7 +2666,7 @@ mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2693,7 +2698,7 @@ mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_biba *subj, *obj; @@ -2711,7 +2716,7 @@ mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2730,7 +2735,7 @@ mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2754,7 +2759,7 @@ mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { struct mac_biba *subj, *obj; @@ -2772,7 +2777,7 @@ mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { struct mac_biba *subj, *obj; @@ -2790,7 +2795,7 @@ mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_biba *subj, *obj; @@ -2818,7 +2823,7 @@ mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_biba *subj, *obj; @@ -2843,7 +2848,7 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2861,7 +2866,7 @@ mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2879,7 +2884,7 @@ mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2897,7 +2902,7 @@ mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2915,7 +2920,7 @@ mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_biba *old, *new, *subj; @@ -2966,7 +2971,7 @@ mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2990,7 +2995,7 @@ mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -3016,7 +3021,7 @@ mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3034,7 +3039,7 @@ mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_biba *subj, *obj; @@ -3052,7 +3057,7 @@ mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -3073,7 +3078,7 @@ mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_biba *subj, *obj; @@ -3091,7 +3096,7 @@ mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_biba *subj, *obj; @@ -3109,7 +3114,7 @@ mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_biba *subj, *obj; @@ -3127,7 +3132,7 @@ mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_biba *subj, *obj; @@ -3145,7 +3150,7 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3163,7 +3168,7 @@ mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -3187,7 +3192,7 @@ mac_biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_write(struct ucred *active_cred, +mac_biba_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3239,185 +3244,185 @@ mac_biba_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, static struct mac_policy_ops mac_biba_ops = { .mpo_init = mac_biba_init, - .mpo_init_bpfdesc_label = mac_biba_init_label, - .mpo_init_cred_label = mac_biba_init_label, - .mpo_init_devfs_label = mac_biba_init_label, - .mpo_init_ifnet_label = mac_biba_init_label, - .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, + .mpo_bpfdesc_init_label = mac_biba_init_label, + .mpo_cred_init_label = mac_biba_init_label, + .mpo_devfs_init_label = mac_biba_init_label, + .mpo_ifnet_init_label = mac_biba_init_label, + .mpo_inpcb_init_label = mac_biba_init_label_waitcheck, .mpo_init_syncache_label = mac_biba_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = mac_biba_init_label, - .mpo_init_sysv_msgqueue_label = mac_biba_init_label, - .mpo_init_sysv_sem_label = mac_biba_init_label, - .mpo_init_sysv_shm_label = mac_biba_init_label, - .mpo_init_ipq_label = mac_biba_init_label_waitcheck, - .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, - .mpo_init_mount_label = mac_biba_init_label, - .mpo_init_pipe_label = mac_biba_init_label, - .mpo_init_posix_sem_label = mac_biba_init_label, - .mpo_init_socket_label = mac_biba_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck, + .mpo_sysvmsg_init_label = mac_biba_init_label, + .mpo_sysvmsq_init_label = mac_biba_init_label, + .mpo_sysvsem_init_label = mac_biba_init_label, + .mpo_sysvshm_init_label = mac_biba_init_label, + .mpo_ipq_init_label = mac_biba_init_label_waitcheck, + .mpo_mbuf_init_label = mac_biba_init_label_waitcheck, + .mpo_mount_init_label = mac_biba_init_label, + .mpo_pipe_init_label = mac_biba_init_label, + .mpo_posixsem_init_label = mac_biba_init_label, + .mpo_socket_init_label = mac_biba_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_biba_init_label_waitcheck, .mpo_init_syncache_from_inpcb = mac_biba_init_syncache_from_inpcb, - .mpo_init_vnode_label = mac_biba_init_label, - .mpo_destroy_bpfdesc_label = mac_biba_destroy_label, - .mpo_destroy_cred_label = mac_biba_destroy_label, - .mpo_destroy_devfs_label = mac_biba_destroy_label, - .mpo_destroy_ifnet_label = mac_biba_destroy_label, - .mpo_destroy_inpcb_label = mac_biba_destroy_label, + .mpo_vnode_init_label = mac_biba_init_label, + .mpo_bpfdesc_destroy_label = mac_biba_destroy_label, + .mpo_cred_destroy_label = mac_biba_destroy_label, + .mpo_devfs_destroy_label = mac_biba_destroy_label, + .mpo_ifnet_destroy_label = mac_biba_destroy_label, + .mpo_inpcb_destroy_label = mac_biba_destroy_label, .mpo_destroy_syncache_label = mac_biba_destroy_label, - .mpo_destroy_sysv_msgmsg_label = mac_biba_destroy_label, - .mpo_destroy_sysv_msgqueue_label = mac_biba_destroy_label, - .mpo_destroy_sysv_sem_label = mac_biba_destroy_label, - .mpo_destroy_sysv_shm_label = mac_biba_destroy_label, - .mpo_destroy_ipq_label = mac_biba_destroy_label, - .mpo_destroy_mbuf_label = mac_biba_destroy_label, - .mpo_destroy_mount_label = mac_biba_destroy_label, - .mpo_destroy_pipe_label = mac_biba_destroy_label, - .mpo_destroy_posix_sem_label = mac_biba_destroy_label, - .mpo_destroy_socket_label = mac_biba_destroy_label, - .mpo_destroy_socket_peer_label = mac_biba_destroy_label, - .mpo_destroy_vnode_label = mac_biba_destroy_label, - .mpo_copy_cred_label = mac_biba_copy_label, - .mpo_copy_ifnet_label = mac_biba_copy_label, - .mpo_copy_mbuf_label = mac_biba_copy_label, - .mpo_copy_pipe_label = mac_biba_copy_label, - .mpo_copy_socket_label = mac_biba_copy_label, - .mpo_copy_vnode_label = mac_biba_copy_label, - .mpo_externalize_cred_label = mac_biba_externalize_label, - .mpo_externalize_ifnet_label = mac_biba_externalize_label, - .mpo_externalize_pipe_label = mac_biba_externalize_label, - .mpo_externalize_socket_label = mac_biba_externalize_label, - .mpo_externalize_socket_peer_label = mac_biba_externalize_label, - .mpo_externalize_vnode_label = mac_biba_externalize_label, - .mpo_internalize_cred_label = mac_biba_internalize_label, - .mpo_internalize_ifnet_label = mac_biba_internalize_label, - .mpo_internalize_pipe_label = mac_biba_internalize_label, - .mpo_internalize_socket_label = mac_biba_internalize_label, - .mpo_internalize_vnode_label = mac_biba_internalize_label, - .mpo_create_devfs_device = mac_biba_create_devfs_device, - .mpo_create_devfs_directory = mac_biba_create_devfs_directory, - .mpo_create_devfs_symlink = mac_biba_create_devfs_symlink, - .mpo_create_mount = mac_biba_create_mount, - .mpo_relabel_vnode = mac_biba_relabel_vnode, - .mpo_update_devfs = mac_biba_update_devfs, - .mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_biba_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_biba_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_biba_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket, + .mpo_sysvmsg_destroy_label = mac_biba_destroy_label, + .mpo_sysvmsq_destroy_label = mac_biba_destroy_label, + .mpo_sysvsem_destroy_label = mac_biba_destroy_label, + .mpo_sysvshm_destroy_label = mac_biba_destroy_label, + .mpo_ipq_destroy_label = mac_biba_destroy_label, + .mpo_mbuf_destroy_label = mac_biba_destroy_label, + .mpo_mount_destroy_label = mac_biba_destroy_label, + .mpo_pipe_destroy_label = mac_biba_destroy_label, + .mpo_posixsem_destroy_label = mac_biba_destroy_label, + .mpo_socket_destroy_label = mac_biba_destroy_label, + .mpo_socketpeer_destroy_label = mac_biba_destroy_label, + .mpo_vnode_destroy_label = mac_biba_destroy_label, + .mpo_cred_copy_label = mac_biba_copy_label, + .mpo_ifnet_copy_label = mac_biba_copy_label, + .mpo_mbuf_copy_label = mac_biba_copy_label, + .mpo_pipe_copy_label = mac_biba_copy_label, + .mpo_socket_copy_label = mac_biba_copy_label, + .mpo_vnode_copy_label = mac_biba_copy_label, + .mpo_cred_externalize_label = mac_biba_externalize_label, + .mpo_ifnet_externalize_label = mac_biba_externalize_label, + .mpo_pipe_externalize_label = mac_biba_externalize_label, + .mpo_socket_externalize_label = mac_biba_externalize_label, + .mpo_socketpeer_externalize_label = mac_biba_externalize_label, + .mpo_vnode_externalize_label = mac_biba_externalize_label, + .mpo_cred_internalize_label = mac_biba_internalize_label, + .mpo_ifnet_internalize_label = mac_biba_internalize_label, + .mpo_pipe_internalize_label = mac_biba_internalize_label, + .mpo_socket_internalize_label = mac_biba_internalize_label, + .mpo_vnode_internalize_label = mac_biba_internalize_label, + .mpo_devfs_create_device = mac_biba_devfs_create_device, + .mpo_devfs_create_directory = mac_biba_devfs_create_directory, + .mpo_devfs_create_symlink = mac_biba_devfs_create_symlink, + .mpo_mount_create = mac_biba_mount_create, + .mpo_vnode_relabel = mac_biba_vnode_relabel, + .mpo_devfs_update = mac_biba_devfs_update, + .mpo_devfs_vnode_associate = mac_biba_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_biba_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_biba_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_biba_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_biba_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_biba_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_biba_create_mbuf_from_syncache, - .mpo_create_pipe = mac_biba_create_pipe, - .mpo_create_posix_sem = mac_biba_create_posix_sem, - .mpo_create_socket = mac_biba_create_socket, - .mpo_create_socket_from_socket = mac_biba_create_socket_from_socket, - .mpo_relabel_pipe = mac_biba_relabel_pipe, - .mpo_relabel_socket = mac_biba_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_biba_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_biba_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_biba_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, - .mpo_create_fragment = mac_biba_create_fragment, - .mpo_create_ifnet = mac_biba_create_ifnet, - .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, - .mpo_create_sysv_msgmsg = mac_biba_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_biba_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_biba_create_sysv_sem, - .mpo_create_sysv_shm = mac_biba_create_sysv_shm, - .mpo_create_ipq = mac_biba_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb, + .mpo_pipe_create = mac_biba_pipe_create, + .mpo_posixsem_create = mac_biba_posixsem_create, + .mpo_socket_create = mac_biba_socket_create, + .mpo_socket_newconn = mac_biba_socket_newconn, + .mpo_pipe_relabel = mac_biba_pipe_relabel, + .mpo_socket_relabel = mac_biba_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_biba_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_biba_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_biba_bpfdesc_create, + .mpo_ipq_reassemble = mac_biba_ipq_reassemble, + .mpo_netinet_fragment = mac_biba_netinet_fragment, + .mpo_ifnet_create = mac_biba_ifnet_create, + .mpo_inpcb_create = mac_biba_inpcb_create, + .mpo_sysvmsg_create = mac_biba_sysvmsg_create, + .mpo_sysvmsq_create = mac_biba_sysvmsq_create, + .mpo_sysvsem_create = mac_biba_sysvsem_create, + .mpo_sysvshm_create = mac_biba_sysvshm_create, + .mpo_ipq_create = mac_biba_ipq_create, + .mpo_inpcb_create_mbuf = mac_biba_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_biba_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_biba_create_mbuf_netlayer, - .mpo_fragment_match = mac_biba_fragment_match, - .mpo_relabel_ifnet = mac_biba_relabel_ifnet, - .mpo_update_ipq = mac_biba_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_biba_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_biba_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_biba_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_biba_mbuf_create_netlayer, + .mpo_ipq_match = mac_biba_ipq_match, + .mpo_ifnet_relabel = mac_biba_ifnet_relabel, + .mpo_ipq_update = mac_biba_ipq_update, .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, - .mpo_create_proc0 = mac_biba_create_proc0, - .mpo_create_proc1 = mac_biba_create_proc1, - .mpo_relabel_cred = mac_biba_relabel_cred, - .mpo_cleanup_sysv_msgmsg = mac_biba_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_biba_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_biba_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_biba_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_biba_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_biba_check_cred_relabel, - .mpo_check_cred_visible = mac_biba_check_cred_visible, - .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver, - .mpo_check_sysv_msgrcv = mac_biba_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_biba_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_biba_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_biba_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_biba_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_biba_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_biba_check_sysv_semctl, - .mpo_check_sysv_semget = mac_biba_check_sysv_semget, - .mpo_check_sysv_semop = mac_biba_check_sysv_semop, - .mpo_check_sysv_shmat = mac_biba_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_biba_check_sysv_shmctl, - .mpo_check_sysv_shmget = mac_biba_check_sysv_shmget, - .mpo_check_kld_load = mac_biba_check_kld_load, - .mpo_check_mount_stat = mac_biba_check_mount_stat, - .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_biba_check_pipe_poll, - .mpo_check_pipe_read = mac_biba_check_pipe_read, - .mpo_check_pipe_relabel = mac_biba_check_pipe_relabel, - .mpo_check_pipe_stat = mac_biba_check_pipe_stat, - .mpo_check_pipe_write = mac_biba_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_getvalue = mac_biba_check_posix_sem_rdonly, - .mpo_check_posix_sem_open = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_post = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_unlink = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_wait = mac_biba_check_posix_sem_write, - .mpo_check_proc_debug = mac_biba_check_proc_debug, - .mpo_check_proc_sched = mac_biba_check_proc_sched, - .mpo_check_proc_signal = mac_biba_check_proc_signal, - .mpo_check_socket_deliver = mac_biba_check_socket_deliver, - .mpo_check_socket_relabel = mac_biba_check_socket_relabel, - .mpo_check_socket_visible = mac_biba_check_socket_visible, - .mpo_check_system_acct = mac_biba_check_system_acct, - .mpo_check_system_auditctl = mac_biba_check_system_auditctl, - .mpo_check_system_auditon = mac_biba_check_system_auditon, - .mpo_check_system_swapon = mac_biba_check_system_swapon, - .mpo_check_system_swapoff = mac_biba_check_system_swapoff, - .mpo_check_system_sysctl = mac_biba_check_system_sysctl, - .mpo_check_vnode_access = mac_biba_check_vnode_open, - .mpo_check_vnode_chdir = mac_biba_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_biba_check_vnode_chroot, - .mpo_check_vnode_create = mac_biba_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_biba_check_vnode_exec, - .mpo_check_vnode_getacl = mac_biba_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr, - .mpo_check_vnode_link = mac_biba_check_vnode_link, - .mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_biba_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_biba_check_vnode_mmap, - .mpo_check_vnode_open = mac_biba_check_vnode_open, - .mpo_check_vnode_poll = mac_biba_check_vnode_poll, - .mpo_check_vnode_read = mac_biba_check_vnode_read, - .mpo_check_vnode_readdir = mac_biba_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_biba_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_biba_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_biba_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_biba_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_biba_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_biba_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_biba_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_biba_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_biba_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_biba_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_biba_check_vnode_stat, - .mpo_check_vnode_unlink = mac_biba_check_vnode_unlink, - .mpo_check_vnode_write = mac_biba_check_vnode_write, + .mpo_proc_create_swapper = mac_biba_proc_create_swapper, + .mpo_proc_create_init = mac_biba_proc_create_init, + .mpo_cred_relabel = mac_biba_cred_relabel, + .mpo_sysvmsg_cleanup = mac_biba_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_biba_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_biba_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_biba_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_biba_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_biba_cred_check_relabel, + .mpo_cred_check_visible = mac_biba_cred_check_visible, + .mpo_ifnet_check_relabel = mac_biba_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_biba_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_biba_inpcb_check_deliver, + .mpo_sysvmsq_check_msgrcv = mac_biba_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_biba_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_biba_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_biba_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_biba_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_biba_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_biba_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_biba_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_biba_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_biba_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_biba_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = mac_biba_sysvshm_check_shmget, + .mpo_kld_check_load = mac_biba_kld_check_load, + .mpo_mount_check_stat = mac_biba_mount_check_stat, + .mpo_pipe_check_ioctl = mac_biba_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_biba_pipe_check_poll, + .mpo_pipe_check_read = mac_biba_pipe_check_read, + .mpo_pipe_check_relabel = mac_biba_pipe_check_relabel, + .mpo_pipe_check_stat = mac_biba_pipe_check_stat, + .mpo_pipe_check_write = mac_biba_pipe_check_write, + .mpo_posixsem_check_destroy = mac_biba_posixsem_check_write, + .mpo_posixsem_check_getvalue = mac_biba_posixsem_check_rdonly, + .mpo_posixsem_check_open = mac_biba_posixsem_check_write, + .mpo_posixsem_check_post = mac_biba_posixsem_check_write, + .mpo_posixsem_check_unlink = mac_biba_posixsem_check_write, + .mpo_posixsem_check_wait = mac_biba_posixsem_check_write, + .mpo_proc_check_debug = mac_biba_proc_check_debug, + .mpo_proc_check_sched = mac_biba_proc_check_sched, + .mpo_proc_check_signal = mac_biba_proc_check_signal, + .mpo_socket_check_deliver = mac_biba_socket_check_deliver, + .mpo_socket_check_relabel = mac_biba_socket_check_relabel, + .mpo_socket_check_visible = mac_biba_socket_check_visible, + .mpo_system_check_acct = mac_biba_system_check_acct, + .mpo_system_check_auditctl = mac_biba_system_check_auditctl, + .mpo_system_check_auditon = mac_biba_system_check_auditon, + .mpo_system_check_swapon = mac_biba_system_check_swapon, + .mpo_system_check_swapoff = mac_biba_system_check_swapoff, + .mpo_system_check_sysctl = mac_biba_system_check_sysctl, + .mpo_vnode_check_access = mac_biba_vnode_check_open, + .mpo_vnode_check_chdir = mac_biba_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_biba_vnode_check_chroot, + .mpo_vnode_check_create = mac_biba_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_biba_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_biba_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_biba_vnode_check_exec, + .mpo_vnode_check_getacl = mac_biba_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_biba_vnode_check_getextattr, + .mpo_vnode_check_link = mac_biba_vnode_check_link, + .mpo_vnode_check_listextattr = mac_biba_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_biba_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_biba_vnode_check_mmap, + .mpo_vnode_check_open = mac_biba_vnode_check_open, + .mpo_vnode_check_poll = mac_biba_vnode_check_poll, + .mpo_vnode_check_read = mac_biba_vnode_check_read, + .mpo_vnode_check_readdir = mac_biba_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_biba_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_biba_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_biba_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_biba_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_biba_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_biba_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_biba_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_biba_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_biba_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_biba_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_biba_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_biba_vnode_check_stat, + .mpo_vnode_check_unlink = mac_biba_vnode_check_unlink, + .mpo_vnode_check_write = mac_biba_vnode_check_write, .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, - .mpo_create_mbuf_from_firewall = mac_biba_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_biba_mbuf_create_from_firewall, .mpo_priv_check = mac_biba_priv_check, }; diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index bdeadce..05521fe 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005 Tom Rhodes + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -440,7 +444,7 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) } static int -mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -448,7 +452,7 @@ mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -456,7 +460,7 @@ mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -464,7 +468,7 @@ mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -472,7 +476,7 @@ mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -480,7 +484,7 @@ mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -488,7 +492,7 @@ mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -504,7 +508,7 @@ mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -512,7 +516,7 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, +mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { @@ -521,7 +525,7 @@ mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, } static int -mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -530,7 +534,7 @@ mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -538,7 +542,7 @@ mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -547,7 +551,7 @@ mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *label, struct componentname *cnp) { @@ -563,7 +567,7 @@ mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -571,7 +575,7 @@ mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { @@ -579,7 +583,7 @@ mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -587,7 +591,7 @@ mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -595,7 +599,7 @@ mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -603,7 +607,7 @@ mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -616,7 +620,7 @@ mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -631,7 +635,7 @@ mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -647,7 +651,7 @@ mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -656,7 +660,7 @@ mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { @@ -664,7 +668,7 @@ mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { @@ -672,7 +676,7 @@ mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { @@ -680,7 +684,7 @@ mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec utime) { @@ -688,7 +692,7 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_stat(struct ucred *active_cred, +mac_bsdextended_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -696,7 +700,7 @@ mac_bsdextended_check_vnode_stat(struct ucred *active_cred, } static int -mac_bsdextended_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -712,36 +716,36 @@ static struct mac_policy_ops mac_bsdextended_ops = { .mpo_destroy = mac_bsdextended_destroy, .mpo_init = mac_bsdextended_init, - .mpo_check_system_acct = mac_bsdextended_check_system_acct, - .mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl, - .mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff, - .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, - .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, - .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot, - .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, - .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, - .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, - .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, - .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, - .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, - .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink, - .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode, - .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat, - .mpo_check_vnode_unlink = mac_bsdextended_check_vnode_unlink, + .mpo_system_check_acct = mac_bsdextended_system_check_acct, + .mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl, + .mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff, + .mpo_system_check_swapon = mac_bsdextended_system_check_swapon, + .mpo_vnode_check_access = mac_bsdextended_vnode_check_access, + .mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot, + .mpo_vnode_check_create = mac_bsdextended_check_create_vnode, + .mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec, + .mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr, + .mpo_vnode_check_link = mac_bsdextended_vnode_check_link, + .mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup, + .mpo_vnode_check_open = mac_bsdextended_vnode_check_open, + .mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink, + .mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode, + .mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat, + .mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink, }; MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended, diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c index 412a547..31bf09a 100644 --- a/sys/security/mac_ifoff/mac_ifoff.c +++ b/sys/security/mac_ifoff/mac_ifoff.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -79,7 +83,7 @@ SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled); static int -check_ifnet_outgoing(struct ifnet *ifp) +ifnet_check_outgoing(struct ifnet *ifp) { if (!mac_ifoff_enabled) @@ -95,7 +99,7 @@ check_ifnet_outgoing(struct ifnet *ifp) } static int -check_ifnet_incoming(struct ifnet *ifp, int viabpf) +ifnet_check_incoming(struct ifnet *ifp, int viabpf) { if (!mac_ifoff_enabled) return (0); @@ -113,51 +117,51 @@ check_ifnet_incoming(struct ifnet *ifp, int viabpf) } static int -mac_ifoff_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { - return (check_ifnet_incoming(ifp, 1)); + return (ifnet_check_incoming(ifp, 1)); } static int -mac_ifoff_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { - return (check_ifnet_outgoing(ifp)); + return (ifnet_check_outgoing(ifp)); } static int -mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { M_ASSERTPKTHDR(m); if (m->m_pkthdr.rcvif != NULL) - return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); return (0); } static int -mac_ifoff_check_socket_deliver(struct socket *so, struct label *solabel, +mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { M_ASSERTPKTHDR(m); if (m->m_pkthdr.rcvif != NULL) - return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); return (0); } static struct mac_policy_ops mac_ifoff_ops = { - .mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive, - .mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver, - .mpo_check_socket_deliver = mac_ifoff_check_socket_deliver, + .mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive, + .mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver, + .mpo_socket_check_deliver = mac_ifoff_socket_check_deliver, }; MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff", diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 2186b97..8b44a09 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -631,7 +635,7 @@ mac_lomac_init_label_waitcheck(struct label *label, int flag) } static void -mac_lomac_init_proc_label(struct label *label) +mac_lomac_proc_init_label(struct label *label) { PSLOT_SET(label, malloc(sizeof(struct mac_lomac_proc), M_MACLOMAC, @@ -648,7 +652,7 @@ mac_lomac_destroy_label(struct label *label) } static void -mac_lomac_destroy_proc_label(struct label *label) +mac_lomac_proc_destroy_label(struct label *label) { mtx_destroy(&PSLOT(label)->mtx); @@ -901,7 +905,7 @@ mac_lomac_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_lomac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_lomac *mac_lomac; @@ -924,7 +928,7 @@ mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_lomac_create_devfs_directory(struct mount *mp, char *dirname, +mac_lomac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_lomac *mac_lomac; @@ -934,7 +938,7 @@ mac_lomac_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_lomac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -947,7 +951,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_lomac_create_mount(struct ucred *cred, struct mount *mp, +mac_lomac_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_lomac *source, *dest; @@ -958,7 +962,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -970,7 +974,7 @@ mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_lomac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac *source, *dest; @@ -982,7 +986,7 @@ mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_lomac_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -995,7 +999,7 @@ mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_lomac_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac temp, *source, *dest; @@ -1018,7 +1022,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, if (buflen != sizeof(temp)) { if (buflen != sizeof(temp) - sizeof(temp.ml_auxsingle)) { - printf("mac_lomac_associate_vnode_extattr: bad size %d\n", + printf("mac_lomac_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } @@ -1029,11 +1033,11 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, buflen, (char *)&temp, curthread); } if (mac_lomac_valid(&temp) != 0) { - printf("mac_lomac_associate_vnode_extattr: invalid\n"); + printf("mac_lomac_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.ml_flags & MAC_LOMAC_FLAGS_BOTH) != MAC_LOMAC_FLAG_SINGLE) { - printf("mac_lomac_associate_vnode_extattr: not single\n"); + printf("mac_lomac_vnode_associate_extattr: not single\n"); return (EPERM); } @@ -1042,7 +1046,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_lomac_associate_vnode_singlelabel(struct mount *mp, +mac_lomac_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac *source, *dest; @@ -1054,7 +1058,7 @@ mac_lomac_associate_vnode_singlelabel(struct mount *mp, } static int -mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_lomac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1084,7 +1088,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_lomac *source, temp; @@ -1108,7 +1112,7 @@ mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_lomac_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_lomac *source, *dest; @@ -1120,7 +1124,7 @@ mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_lomac_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1132,7 +1136,7 @@ mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_lomac_create_socket(struct ucred *cred, struct socket *so, +mac_lomac_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_lomac *source, *dest; @@ -1144,7 +1148,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *so, } static void -mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *source, *dest; @@ -1156,8 +1160,8 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_lomac_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_lomac_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_lomac *source, *dest; @@ -1168,7 +1172,7 @@ mac_lomac_create_socket_from_socket(struct socket *oldso, } static void -mac_lomac_relabel_socket(struct ucred *cred, struct socket *so, +mac_lomac_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1180,7 +1184,7 @@ mac_lomac_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1192,7 +1196,7 @@ mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_lomac_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_lomac *source, *dest; @@ -1207,7 +1211,7 @@ mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: network objects. */ static void -mac_lomac_set_socket_peer_from_socket(struct socket *oldso, +mac_lomac_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1220,7 +1224,7 @@ mac_lomac_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_lomac_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_lomac *source, *dest; @@ -1232,7 +1236,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_lomac_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { char tifname[IFNAMSIZ], *p, *q; char tiflist[sizeof(trusted_interfaces)]; @@ -1290,7 +1294,7 @@ set: } static void -mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_lomac *source, *dest; @@ -1302,7 +1306,7 @@ mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_lomac_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1315,7 +1319,7 @@ mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel, +mac_lomac_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_lomac *source, *dest; @@ -1327,7 +1331,7 @@ mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1350,7 +1354,7 @@ mac_lomac_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1362,7 +1366,7 @@ mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_lomac_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1374,7 +1378,7 @@ mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_lomac_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1387,7 +1391,7 @@ mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_lomac_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { struct mac_lomac *source, *dest; @@ -1399,8 +1403,8 @@ mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel, - struct ipq *ipq, struct label *ipqlabel) +mac_lomac_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, + struct label *ipqlabel) { struct mac_lomac *a, *b; @@ -1411,7 +1415,7 @@ mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_lomac_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1423,7 +1427,7 @@ mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_lomac_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_lomac_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1464,7 +1468,7 @@ mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, } static void -mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +mac_lomac_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { struct mac_lomac *dest; @@ -1478,7 +1482,7 @@ mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) * Labeling event operations: processes. */ static void -mac_lomac_execve_transition(struct ucred *old, struct ucred *new, +mac_lomac_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -1514,7 +1518,7 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new, } static int -mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_lomac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -1534,7 +1538,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, } static void -mac_lomac_create_proc0(struct ucred *cred) +mac_lomac_proc_create_swapper(struct ucred *cred) { struct mac_lomac *dest; @@ -1546,7 +1550,7 @@ mac_lomac_create_proc0(struct ucred *cred) } static void -mac_lomac_create_proc1(struct ucred *cred) +mac_lomac_proc_create_init(struct ucred *cred) { struct mac_lomac *dest; @@ -1558,7 +1562,7 @@ mac_lomac_create_proc1(struct ucred *cred) } static void -mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_lomac_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1572,7 +1576,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) * Access control checks. */ static int -mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_lomac_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_lomac *a, *b; @@ -1589,7 +1593,7 @@ mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_lomac_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_lomac *subj, *new; int error; @@ -1655,7 +1659,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_lomac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { struct mac_lomac *subj, *obj; @@ -1673,7 +1677,7 @@ mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_lomac_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_lomac *subj, *new; @@ -1730,7 +1734,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_lomac_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *i; @@ -1745,7 +1749,7 @@ mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_lomac_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *i; @@ -1760,7 +1764,7 @@ mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_lomac_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -1781,7 +1785,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1794,7 +1798,7 @@ mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *subj, *obj; @@ -1812,7 +1816,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_lomac *subj, *obj, *new; @@ -1863,7 +1867,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *subj, *obj; @@ -1881,7 +1885,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p) +mac_lomac_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_lomac *subj, *obj; @@ -1901,7 +1905,7 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p) +mac_lomac_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_lomac *subj, *obj; @@ -1921,7 +1925,7 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_lomac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_lomac *subj, *obj; @@ -1941,7 +1945,7 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel, +mac_lomac_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *s; @@ -1956,7 +1960,7 @@ mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_lomac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_lomac *subj, *obj, *new; @@ -2007,7 +2011,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_lomac_check_socket_visible(struct ucred *cred, struct socket *so, +mac_lomac_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_lomac *subj, *obj; @@ -2215,7 +2219,7 @@ mac_lomac_priv_check(struct ucred *cred, int priv) static int -mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2236,7 +2240,7 @@ mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2257,7 +2261,7 @@ mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj; @@ -2274,7 +2278,7 @@ mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2295,7 +2299,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_lomac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { struct mac_lomac *subj; @@ -2323,7 +2327,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_lomac *subj, *obj; @@ -2344,7 +2348,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_lomac *subj, *obj; @@ -2362,7 +2366,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2386,7 +2390,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_lomac *subj, *obj; @@ -2414,7 +2418,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static void -mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, struct label *vplabel, /* XXX vm_prot_t */ int *prot) { struct mac_lomac *subj, *obj; @@ -2434,7 +2438,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_lomac *subj, *obj; @@ -2455,7 +2459,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_lomac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2473,7 +2477,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_lomac *old, *new, *subj; @@ -2549,7 +2553,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2573,7 +2577,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2599,7 +2603,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2617,7 +2621,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_lomac *subj, *obj; @@ -2635,7 +2639,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2656,7 +2660,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_lomac *subj, *obj; @@ -2674,7 +2678,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_lomac *subj, *obj; @@ -2692,7 +2696,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_lomac *subj, *obj; @@ -2710,7 +2714,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_lomac *subj, *obj; @@ -2728,7 +2732,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2752,7 +2756,7 @@ mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_write(struct ucred *active_cred, +mac_lomac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2818,140 +2822,141 @@ mac_lomac_thread_userret(struct thread *td) static struct mac_policy_ops mac_lomac_ops = { .mpo_init = mac_lomac_init, - .mpo_init_bpfdesc_label = mac_lomac_init_label, - .mpo_init_cred_label = mac_lomac_init_label, - .mpo_init_devfs_label = mac_lomac_init_label, - .mpo_init_ifnet_label = mac_lomac_init_label, + .mpo_bpfdesc_init_label = mac_lomac_init_label, + .mpo_cred_init_label = mac_lomac_init_label, + .mpo_devfs_init_label = mac_lomac_init_label, + .mpo_ifnet_init_label = mac_lomac_init_label, .mpo_init_syncache_label = mac_lomac_init_label_waitcheck, - .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck, - .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, - .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, - .mpo_init_mount_label = mac_lomac_init_label, - .mpo_init_pipe_label = mac_lomac_init_label, - .mpo_init_proc_label = mac_lomac_init_proc_label, - .mpo_init_socket_label = mac_lomac_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck, - .mpo_init_vnode_label = mac_lomac_init_label, + .mpo_inpcb_init_label = mac_lomac_init_label_waitcheck, + .mpo_ipq_init_label = mac_lomac_init_label_waitcheck, + .mpo_mbuf_init_label = mac_lomac_init_label_waitcheck, + .mpo_mount_init_label = mac_lomac_init_label, + .mpo_pipe_init_label = mac_lomac_init_label, + .mpo_proc_init_label = mac_lomac_proc_init_label, + .mpo_socket_init_label = mac_lomac_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_lomac_init_label_waitcheck, + .mpo_vnode_init_label = mac_lomac_init_label, .mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb, - .mpo_destroy_bpfdesc_label = mac_lomac_destroy_label, - .mpo_destroy_cred_label = mac_lomac_destroy_label, - .mpo_destroy_devfs_label = mac_lomac_destroy_label, - .mpo_destroy_ifnet_label = mac_lomac_destroy_label, - .mpo_destroy_inpcb_label = mac_lomac_destroy_label, - .mpo_destroy_ipq_label = mac_lomac_destroy_label, - .mpo_destroy_mbuf_label = mac_lomac_destroy_label, - .mpo_destroy_mount_label = mac_lomac_destroy_label, - .mpo_destroy_pipe_label = mac_lomac_destroy_label, - .mpo_destroy_proc_label = mac_lomac_destroy_proc_label, + .mpo_bpfdesc_destroy_label = mac_lomac_destroy_label, + .mpo_cred_destroy_label = mac_lomac_destroy_label, + .mpo_devfs_destroy_label = mac_lomac_destroy_label, + .mpo_ifnet_destroy_label = mac_lomac_destroy_label, + .mpo_inpcb_destroy_label = mac_lomac_destroy_label, + .mpo_ipq_destroy_label = mac_lomac_destroy_label, + .mpo_mbuf_destroy_label = mac_lomac_destroy_label, + .mpo_mount_destroy_label = mac_lomac_destroy_label, + .mpo_pipe_destroy_label = mac_lomac_destroy_label, + .mpo_proc_destroy_label = mac_lomac_proc_destroy_label, .mpo_destroy_syncache_label = mac_lomac_destroy_label, - .mpo_destroy_socket_label = mac_lomac_destroy_label, - .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, - .mpo_destroy_vnode_label = mac_lomac_destroy_label, - .mpo_copy_cred_label = mac_lomac_copy_label, - .mpo_copy_ifnet_label = mac_lomac_copy_label, - .mpo_copy_mbuf_label = mac_lomac_copy_label, - .mpo_copy_pipe_label = mac_lomac_copy_label, - .mpo_copy_socket_label = mac_lomac_copy_label, - .mpo_copy_vnode_label = mac_lomac_copy_label, - .mpo_externalize_cred_label = mac_lomac_externalize_label, - .mpo_externalize_ifnet_label = mac_lomac_externalize_label, - .mpo_externalize_pipe_label = mac_lomac_externalize_label, - .mpo_externalize_socket_label = mac_lomac_externalize_label, - .mpo_externalize_socket_peer_label = mac_lomac_externalize_label, - .mpo_externalize_vnode_label = mac_lomac_externalize_label, - .mpo_internalize_cred_label = mac_lomac_internalize_label, - .mpo_internalize_ifnet_label = mac_lomac_internalize_label, - .mpo_internalize_pipe_label = mac_lomac_internalize_label, - .mpo_internalize_socket_label = mac_lomac_internalize_label, - .mpo_internalize_vnode_label = mac_lomac_internalize_label, - .mpo_create_devfs_device = mac_lomac_create_devfs_device, - .mpo_create_devfs_directory = mac_lomac_create_devfs_directory, - .mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink, - .mpo_create_mount = mac_lomac_create_mount, - .mpo_relabel_vnode = mac_lomac_relabel_vnode, - .mpo_update_devfs = mac_lomac_update_devfs, - .mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = - mac_lomac_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket, + .mpo_socket_destroy_label = mac_lomac_destroy_label, + .mpo_socketpeer_destroy_label = mac_lomac_destroy_label, + .mpo_vnode_destroy_label = mac_lomac_destroy_label, + .mpo_cred_copy_label = mac_lomac_copy_label, + .mpo_ifnet_copy_label = mac_lomac_copy_label, + .mpo_mbuf_copy_label = mac_lomac_copy_label, + .mpo_pipe_copy_label = mac_lomac_copy_label, + .mpo_socket_copy_label = mac_lomac_copy_label, + .mpo_vnode_copy_label = mac_lomac_copy_label, + .mpo_cred_externalize_label = mac_lomac_externalize_label, + .mpo_ifnet_externalize_label = mac_lomac_externalize_label, + .mpo_pipe_externalize_label = mac_lomac_externalize_label, + .mpo_socket_externalize_label = mac_lomac_externalize_label, + .mpo_socketpeer_externalize_label = mac_lomac_externalize_label, + .mpo_vnode_externalize_label = mac_lomac_externalize_label, + .mpo_cred_internalize_label = mac_lomac_internalize_label, + .mpo_ifnet_internalize_label = mac_lomac_internalize_label, + .mpo_pipe_internalize_label = mac_lomac_internalize_label, + .mpo_socket_internalize_label = mac_lomac_internalize_label, + .mpo_vnode_internalize_label = mac_lomac_internalize_label, + .mpo_devfs_create_device = mac_lomac_devfs_create_device, + .mpo_devfs_create_directory = mac_lomac_devfs_create_directory, + .mpo_devfs_create_symlink = mac_lomac_devfs_create_symlink, + .mpo_mount_create = mac_lomac_mount_create, + .mpo_vnode_relabel = mac_lomac_vnode_relabel, + .mpo_devfs_update = mac_lomac_devfs_update, + .mpo_devfs_vnode_associate = mac_lomac_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_lomac_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = + mac_lomac_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_lomac_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_lomac_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_lomac_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache, - .mpo_create_pipe = mac_lomac_create_pipe, - .mpo_create_socket = mac_lomac_create_socket, - .mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket, - .mpo_relabel_pipe = mac_lomac_relabel_pipe, - .mpo_relabel_socket = mac_lomac_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = - mac_lomac_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_lomac_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, - .mpo_create_fragment = mac_lomac_create_fragment, - .mpo_create_ifnet = mac_lomac_create_ifnet, - .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, - .mpo_create_ipq = mac_lomac_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb, + .mpo_pipe_create = mac_lomac_pipe_create, + .mpo_socket_create = mac_lomac_socket_create, + .mpo_socket_newconn = mac_lomac_socket_newconn, + .mpo_pipe_relabel = mac_lomac_pipe_relabel, + .mpo_socket_relabel = mac_lomac_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_lomac_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = + mac_lomac_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_lomac_bpfdesc_create, + .mpo_ipq_reassemble = mac_lomac_ipq_reassemble, + .mpo_netinet_fragment = mac_lomac_netinet_fragment, + .mpo_ifnet_create = mac_lomac_ifnet_create, + .mpo_inpcb_create = mac_lomac_inpcb_create, + .mpo_ipq_create = mac_lomac_ipq_create, + .mpo_inpcb_create_mbuf = mac_lomac_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = - mac_lomac_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer, - .mpo_fragment_match = mac_lomac_fragment_match, - .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, - .mpo_update_ipq = mac_lomac_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_lomac_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_lomac_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = + mac_lomac_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_lomac_mbuf_create_netlayer, + .mpo_ipq_match = mac_lomac_ipq_match, + .mpo_ifnet_relabel = mac_lomac_ifnet_relabel, + .mpo_ipq_update = mac_lomac_ipq_update, .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, - .mpo_execve_transition = mac_lomac_execve_transition, - .mpo_execve_will_transition = mac_lomac_execve_will_transition, - .mpo_create_proc0 = mac_lomac_create_proc0, - .mpo_create_proc1 = mac_lomac_create_proc1, - .mpo_relabel_cred = mac_lomac_relabel_cred, - .mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_lomac_check_cred_relabel, - .mpo_check_cred_visible = mac_lomac_check_cred_visible, - .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver, - .mpo_check_kld_load = mac_lomac_check_kld_load, - .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl, - .mpo_check_pipe_read = mac_lomac_check_pipe_read, - .mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel, - .mpo_check_pipe_write = mac_lomac_check_pipe_write, - .mpo_check_proc_debug = mac_lomac_check_proc_debug, - .mpo_check_proc_sched = mac_lomac_check_proc_sched, - .mpo_check_proc_signal = mac_lomac_check_proc_signal, - .mpo_check_socket_deliver = mac_lomac_check_socket_deliver, - .mpo_check_socket_relabel = mac_lomac_check_socket_relabel, - .mpo_check_socket_visible = mac_lomac_check_socket_visible, - .mpo_check_system_acct = mac_lomac_check_system_acct, - .mpo_check_system_auditctl = mac_lomac_check_system_auditctl, - .mpo_check_system_swapoff = mac_lomac_check_system_swapoff, - .mpo_check_system_swapon = mac_lomac_check_system_swapon, - .mpo_check_system_sysctl = mac_lomac_check_system_sysctl, - .mpo_check_vnode_access = mac_lomac_check_vnode_open, - .mpo_check_vnode_create = mac_lomac_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_lomac_check_vnode_deleteacl, - .mpo_check_vnode_link = mac_lomac_check_vnode_link, - .mpo_check_vnode_mmap = mac_lomac_check_vnode_mmap, - .mpo_check_vnode_mmap_downgrade = mac_lomac_check_vnode_mmap_downgrade, - .mpo_check_vnode_open = mac_lomac_check_vnode_open, - .mpo_check_vnode_read = mac_lomac_check_vnode_read, - .mpo_check_vnode_relabel = mac_lomac_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_lomac_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_lomac_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_lomac_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_lomac_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_lomac_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_lomac_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_lomac_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_lomac_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes, - .mpo_check_vnode_unlink = mac_lomac_check_vnode_unlink, - .mpo_check_vnode_write = mac_lomac_check_vnode_write, + .mpo_vnode_execve_transition = mac_lomac_vnode_execve_transition, + .mpo_vnode_execve_will_transition = + mac_lomac_vnode_execve_will_transition, + .mpo_proc_create_swapper = mac_lomac_proc_create_swapper, + .mpo_proc_create_init = mac_lomac_proc_create_init, + .mpo_cred_relabel = mac_lomac_cred_relabel, + .mpo_bpfdesc_check_receive = mac_lomac_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_lomac_cred_check_relabel, + .mpo_cred_check_visible = mac_lomac_cred_check_visible, + .mpo_ifnet_check_relabel = mac_lomac_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_lomac_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_lomac_inpcb_check_deliver, + .mpo_kld_check_load = mac_lomac_kld_check_load, + .mpo_pipe_check_ioctl = mac_lomac_pipe_check_ioctl, + .mpo_pipe_check_read = mac_lomac_pipe_check_read, + .mpo_pipe_check_relabel = mac_lomac_pipe_check_relabel, + .mpo_pipe_check_write = mac_lomac_pipe_check_write, + .mpo_proc_check_debug = mac_lomac_proc_check_debug, + .mpo_proc_check_sched = mac_lomac_proc_check_sched, + .mpo_proc_check_signal = mac_lomac_proc_check_signal, + .mpo_socket_check_deliver = mac_lomac_socket_check_deliver, + .mpo_socket_check_relabel = mac_lomac_socket_check_relabel, + .mpo_socket_check_visible = mac_lomac_socket_check_visible, + .mpo_system_check_acct = mac_lomac_system_check_acct, + .mpo_system_check_auditctl = mac_lomac_system_check_auditctl, + .mpo_system_check_swapoff = mac_lomac_system_check_swapoff, + .mpo_system_check_swapon = mac_lomac_system_check_swapon, + .mpo_system_check_sysctl = mac_lomac_system_check_sysctl, + .mpo_vnode_check_access = mac_lomac_vnode_check_open, + .mpo_vnode_check_create = mac_lomac_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_lomac_vnode_check_deleteacl, + .mpo_vnode_check_link = mac_lomac_vnode_check_link, + .mpo_vnode_check_mmap = mac_lomac_vnode_check_mmap, + .mpo_vnode_check_mmap_downgrade = mac_lomac_vnode_check_mmap_downgrade, + .mpo_vnode_check_open = mac_lomac_vnode_check_open, + .mpo_vnode_check_read = mac_lomac_vnode_check_read, + .mpo_vnode_check_relabel = mac_lomac_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_lomac_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_lomac_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_lomac_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_lomac_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_lomac_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_lomac_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_lomac_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_lomac_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_lomac_vnode_check_setutimes, + .mpo_vnode_check_unlink = mac_lomac_vnode_check_unlink, + .mpo_vnode_check_write = mac_lomac_vnode_check_write, .mpo_thread_userret = mac_lomac_thread_userret, - .mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_lomac_mbuf_create_from_firewall, .mpo_priv_check = mac_lomac_priv_check, }; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 0a84ae1..ea62f3f 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -745,7 +749,7 @@ mac_mls_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_mls_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_mls *mac_mls; @@ -770,7 +774,7 @@ mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_mls_create_devfs_directory(struct mount *mp, char *dirname, +mac_mls_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_mls *mac_mls; @@ -780,7 +784,7 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_mls_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -793,7 +797,7 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_mls_create_mount(struct ucred *cred, struct mount *mp, +mac_mls_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_mls *source, *dest; @@ -804,7 +808,7 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { struct mac_mls *source, *dest; @@ -816,7 +820,7 @@ mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_mls_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_mls_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; @@ -828,7 +832,7 @@ mac_mls_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -841,7 +845,7 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_mls temp, *source, *dest; @@ -863,12 +867,12 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, return (error); if (buflen != sizeof(temp)) { - printf("mac_mls_associate_vnode_extattr: bad size %d\n", + printf("mac_mls_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } if (mac_mls_valid(&temp) != 0) { - printf("mac_mls_associate_vnode_extattr: invalid\n"); + printf("mac_mls_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) { @@ -881,7 +885,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_mls_associate_vnode_singlelabel(struct mount *mp, +mac_mls_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; @@ -893,7 +897,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp, } static int -mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_mls_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -916,7 +920,7 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_mls *source, temp; @@ -941,7 +945,7 @@ mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_mls *source, *dest; @@ -953,7 +957,7 @@ mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_mls_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_mls_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -965,7 +969,7 @@ mac_mls_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_mls_create_socket(struct ucred *cred, struct socket *so, +mac_mls_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *source, *dest; @@ -977,7 +981,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *so, } static void -mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *source, *dest; @@ -989,7 +993,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *source, *dest; @@ -1001,8 +1005,8 @@ mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ks, } static void -mac_mls_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_mls_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_mls *source, *dest; @@ -1013,7 +1017,7 @@ mac_mls_create_socket_from_socket(struct socket *oldso, } static void -mac_mls_relabel_socket(struct ucred *cred, struct socket *so, +mac_mls_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1025,7 +1029,7 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_mls_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1037,7 +1041,7 @@ mac_mls_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_mls_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_mls *source, *dest; @@ -1052,7 +1056,7 @@ mac_mls_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: System V IPC objects. */ static void -mac_mls_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { struct mac_mls *source, *dest; @@ -1065,7 +1069,7 @@ mac_mls_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_mls_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { struct mac_mls *source, *dest; @@ -1077,7 +1081,7 @@ mac_mls_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_mls_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { struct mac_mls *source, *dest; @@ -1089,7 +1093,7 @@ mac_mls_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, } static void -mac_mls_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { struct mac_mls *source, *dest; @@ -1104,7 +1108,7 @@ mac_mls_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, * Labeling event operations: network objects. */ static void -mac_mls_set_socket_peer_from_socket(struct socket *oldso, +mac_mls_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1117,7 +1121,7 @@ mac_mls_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_mls *source, *dest; @@ -1129,7 +1133,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_mls_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *dest; int type; @@ -1146,7 +1150,7 @@ mac_mls_create_ifnet(struct ifnet *ifp, struct label *ifplabel) } static void -mac_mls_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *source, *dest; @@ -1158,7 +1162,7 @@ mac_mls_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1171,7 +1175,7 @@ mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_mls_create_fragment(struct mbuf *m, struct label *mlabel, +mac_mls_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_mls *source, *dest; @@ -1183,7 +1187,7 @@ mac_mls_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1206,7 +1210,7 @@ mac_mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1218,7 +1222,7 @@ mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_mls_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1230,7 +1234,7 @@ mac_mls_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_mls_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1243,7 +1247,7 @@ mac_mls_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_mls_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { struct mac_mls *source, *dest; @@ -1255,7 +1259,7 @@ mac_mls_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_mls_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *a, *b; @@ -1267,7 +1271,7 @@ mac_mls_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1279,7 +1283,7 @@ mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_mls_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1299,7 +1303,7 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void -mac_mls_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +mac_mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { struct mac_mls *dest; @@ -1334,7 +1338,7 @@ mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, * Labeling event operations: processes. */ static void -mac_mls_create_proc0(struct ucred *cred) +mac_mls_proc_create_swapper(struct ucred *cred) { struct mac_mls *dest; @@ -1346,7 +1350,7 @@ mac_mls_create_proc0(struct ucred *cred) } static void -mac_mls_create_proc1(struct ucred *cred) +mac_mls_proc_create_init(struct ucred *cred) { struct mac_mls *dest; @@ -1358,7 +1362,7 @@ mac_mls_create_proc1(struct ucred *cred) } static void -mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_mls_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1372,28 +1376,28 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) * Label cleanup/flush operations. */ static void -mac_mls_cleanup_sysv_msgmsg(struct label *msglabel) +mac_mls_sysvmsg_cleanup(struct label *msglabel) { bzero(SLOT(msglabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_mls_sysvmsq_cleanup(struct label *msqlabel) { bzero(SLOT(msqlabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_sem(struct label *semalabel) +mac_mls_sysvsem_cleanup(struct label *semalabel) { bzero(SLOT(semalabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_shm(struct label *shmlabel) +mac_mls_sysvshm_cleanup(struct label *shmlabel) { bzero(SLOT(shmlabel), sizeof(struct mac_mls)); @@ -1403,7 +1407,7 @@ mac_mls_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -mac_mls_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *a, *b; @@ -1420,7 +1424,7 @@ mac_mls_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *subj, *new; int error; @@ -1482,7 +1486,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_mls_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { struct mac_mls *subj, *obj; @@ -1500,7 +1504,7 @@ mac_mls_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *subj, *new; @@ -1526,7 +1530,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_mls_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; @@ -1541,7 +1545,7 @@ mac_mls_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; @@ -1556,7 +1560,7 @@ mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; @@ -1574,7 +1578,7 @@ mac_mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, } static int -mac_mls_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; @@ -1592,8 +1596,8 @@ mac_mls_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, } static int -mac_mls_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1610,8 +1614,8 @@ mac_mls_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1628,8 +1632,8 @@ mac_mls_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1646,8 +1650,8 @@ mac_mls_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_mls_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { struct mac_mls *subj, *obj; @@ -1677,8 +1681,8 @@ mac_mls_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_mls_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { struct mac_mls *subj, *obj; @@ -1715,8 +1719,8 @@ mac_mls_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_mls_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { struct mac_mls *subj, *obj; @@ -1733,8 +1737,9 @@ mac_mls_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_mls_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, + size_t accesstype) { struct mac_mls *subj, *obj; @@ -1756,8 +1761,8 @@ mac_mls_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_mls_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; @@ -1777,8 +1782,8 @@ mac_mls_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_mls_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { struct mac_mls *subj, *obj; @@ -1809,8 +1814,8 @@ mac_mls_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_mls_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; @@ -1827,7 +1832,7 @@ mac_mls_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_mls_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { struct mac_mls *subj, *obj; @@ -1845,7 +1850,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1858,7 +1863,7 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1876,7 +1881,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1894,7 +1899,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -1945,7 +1950,7 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1963,7 +1968,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1981,7 +1986,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_check_write(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; @@ -1999,7 +2004,7 @@ mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ks, } static int -mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; @@ -2017,7 +2022,7 @@ mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, } static int -mac_mls_check_proc_debug(struct ucred *cred, struct proc *p) +mac_mls_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; @@ -2037,7 +2042,7 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_mls_check_proc_sched(struct ucred *cred, struct proc *p) +mac_mls_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; @@ -2057,7 +2062,7 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_mls_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_mls *subj, *obj; @@ -2077,7 +2082,7 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_mls_check_socket_deliver(struct socket *so, struct label *solabel, +mac_mls_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *s; @@ -2092,7 +2097,7 @@ mac_mls_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_mls_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -2143,7 +2148,7 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_mls_check_socket_visible(struct ucred *cred, struct socket *so, +mac_mls_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *subj, *obj; @@ -2161,7 +2166,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *so, } static int -mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2180,7 +2185,7 @@ mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2199,7 +2204,7 @@ mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2218,7 +2223,7 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2236,7 +2241,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2254,7 +2259,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_mls *subj, *obj; @@ -2272,7 +2277,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; @@ -2290,7 +2295,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { struct mac_mls *subj, *obj; @@ -2308,7 +2313,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2340,7 +2345,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; @@ -2358,7 +2363,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2377,7 +2382,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2400,7 +2405,7 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -2419,7 +2424,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { struct mac_mls *subj, *obj; @@ -2437,7 +2442,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_mls *subj, *obj; @@ -2465,7 +2470,7 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_mls *subj, *obj; @@ -2490,7 +2495,7 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2508,7 +2513,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2526,7 +2531,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2544,7 +2549,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2562,7 +2567,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_mls *old, *new, *subj; @@ -2613,7 +2618,7 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2637,7 +2642,7 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2663,7 +2668,7 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2681,7 +2686,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_mls *subj, *obj; @@ -2699,7 +2704,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2720,7 +2725,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_mls *subj, *obj; @@ -2738,7 +2743,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_mls *subj, *obj; @@ -2756,7 +2761,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_mls *subj, *obj; @@ -2774,7 +2779,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_mls *subj, *obj; @@ -2792,7 +2797,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2810,7 +2815,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2834,7 +2839,7 @@ mac_mls_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2865,181 +2870,181 @@ mac_mls_associate_nfsd_label(struct ucred *cred) static struct mac_policy_ops mac_mls_ops = { .mpo_init = mac_mls_init, - .mpo_init_bpfdesc_label = mac_mls_init_label, - .mpo_init_cred_label = mac_mls_init_label, - .mpo_init_devfs_label = mac_mls_init_label, - .mpo_init_ifnet_label = mac_mls_init_label, - .mpo_init_inpcb_label = mac_mls_init_label_waitcheck, + .mpo_bpfdesc_init_label = mac_mls_init_label, + .mpo_cred_init_label = mac_mls_init_label, + .mpo_devfs_init_label = mac_mls_init_label, + .mpo_ifnet_init_label = mac_mls_init_label, + .mpo_inpcb_init_label = mac_mls_init_label_waitcheck, .mpo_init_syncache_label = mac_mls_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = mac_mls_init_label, - .mpo_init_sysv_msgqueue_label = mac_mls_init_label, - .mpo_init_sysv_sem_label = mac_mls_init_label, - .mpo_init_sysv_shm_label = mac_mls_init_label, - .mpo_init_ipq_label = mac_mls_init_label_waitcheck, - .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, - .mpo_init_mount_label = mac_mls_init_label, - .mpo_init_pipe_label = mac_mls_init_label, - .mpo_init_posix_sem_label = mac_mls_init_label, - .mpo_init_socket_label = mac_mls_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck, - .mpo_init_vnode_label = mac_mls_init_label, - .mpo_destroy_bpfdesc_label = mac_mls_destroy_label, - .mpo_destroy_cred_label = mac_mls_destroy_label, - .mpo_destroy_devfs_label = mac_mls_destroy_label, - .mpo_destroy_ifnet_label = mac_mls_destroy_label, - .mpo_destroy_inpcb_label = mac_mls_destroy_label, + .mpo_sysvmsg_init_label = mac_mls_init_label, + .mpo_sysvmsq_init_label = mac_mls_init_label, + .mpo_sysvsem_init_label = mac_mls_init_label, + .mpo_sysvshm_init_label = mac_mls_init_label, + .mpo_ipq_init_label = mac_mls_init_label_waitcheck, + .mpo_mbuf_init_label = mac_mls_init_label_waitcheck, + .mpo_mount_init_label = mac_mls_init_label, + .mpo_pipe_init_label = mac_mls_init_label, + .mpo_posixsem_init_label = mac_mls_init_label, + .mpo_socket_init_label = mac_mls_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_mls_init_label_waitcheck, + .mpo_vnode_init_label = mac_mls_init_label, + .mpo_bpfdesc_destroy_label = mac_mls_destroy_label, + .mpo_cred_destroy_label = mac_mls_destroy_label, + .mpo_devfs_destroy_label = mac_mls_destroy_label, + .mpo_ifnet_destroy_label = mac_mls_destroy_label, + .mpo_inpcb_destroy_label = mac_mls_destroy_label, .mpo_destroy_syncache_label = mac_mls_destroy_label, - .mpo_destroy_sysv_msgmsg_label = mac_mls_destroy_label, - .mpo_destroy_sysv_msgqueue_label = mac_mls_destroy_label, - .mpo_destroy_sysv_sem_label = mac_mls_destroy_label, - .mpo_destroy_sysv_shm_label = mac_mls_destroy_label, - .mpo_destroy_ipq_label = mac_mls_destroy_label, - .mpo_destroy_mbuf_label = mac_mls_destroy_label, - .mpo_destroy_mount_label = mac_mls_destroy_label, - .mpo_destroy_pipe_label = mac_mls_destroy_label, - .mpo_destroy_posix_sem_label = mac_mls_destroy_label, - .mpo_destroy_socket_label = mac_mls_destroy_label, - .mpo_destroy_socket_peer_label = mac_mls_destroy_label, - .mpo_destroy_vnode_label = mac_mls_destroy_label, - .mpo_copy_cred_label = mac_mls_copy_label, - .mpo_copy_ifnet_label = mac_mls_copy_label, - .mpo_copy_mbuf_label = mac_mls_copy_label, - .mpo_copy_pipe_label = mac_mls_copy_label, - .mpo_copy_socket_label = mac_mls_copy_label, - .mpo_copy_vnode_label = mac_mls_copy_label, - .mpo_externalize_cred_label = mac_mls_externalize_label, - .mpo_externalize_ifnet_label = mac_mls_externalize_label, - .mpo_externalize_pipe_label = mac_mls_externalize_label, - .mpo_externalize_socket_label = mac_mls_externalize_label, - .mpo_externalize_socket_peer_label = mac_mls_externalize_label, - .mpo_externalize_vnode_label = mac_mls_externalize_label, - .mpo_internalize_cred_label = mac_mls_internalize_label, - .mpo_internalize_ifnet_label = mac_mls_internalize_label, - .mpo_internalize_pipe_label = mac_mls_internalize_label, - .mpo_internalize_socket_label = mac_mls_internalize_label, - .mpo_internalize_vnode_label = mac_mls_internalize_label, - .mpo_create_devfs_device = mac_mls_create_devfs_device, - .mpo_create_devfs_directory = mac_mls_create_devfs_directory, - .mpo_create_devfs_symlink = mac_mls_create_devfs_symlink, - .mpo_create_mount = mac_mls_create_mount, - .mpo_relabel_vnode = mac_mls_relabel_vnode, - .mpo_update_devfs = mac_mls_update_devfs, - .mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_mls_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_mls_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_mls_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket, + .mpo_sysvmsg_destroy_label = mac_mls_destroy_label, + .mpo_sysvmsq_destroy_label = mac_mls_destroy_label, + .mpo_sysvsem_destroy_label = mac_mls_destroy_label, + .mpo_sysvshm_destroy_label = mac_mls_destroy_label, + .mpo_ipq_destroy_label = mac_mls_destroy_label, + .mpo_mbuf_destroy_label = mac_mls_destroy_label, + .mpo_mount_destroy_label = mac_mls_destroy_label, + .mpo_pipe_destroy_label = mac_mls_destroy_label, + .mpo_posixsem_destroy_label = mac_mls_destroy_label, + .mpo_socket_destroy_label = mac_mls_destroy_label, + .mpo_socketpeer_destroy_label = mac_mls_destroy_label, + .mpo_vnode_destroy_label = mac_mls_destroy_label, + .mpo_cred_copy_label = mac_mls_copy_label, + .mpo_ifnet_copy_label = mac_mls_copy_label, + .mpo_mbuf_copy_label = mac_mls_copy_label, + .mpo_pipe_copy_label = mac_mls_copy_label, + .mpo_socket_copy_label = mac_mls_copy_label, + .mpo_vnode_copy_label = mac_mls_copy_label, + .mpo_cred_externalize_label = mac_mls_externalize_label, + .mpo_ifnet_externalize_label = mac_mls_externalize_label, + .mpo_pipe_externalize_label = mac_mls_externalize_label, + .mpo_socket_externalize_label = mac_mls_externalize_label, + .mpo_socketpeer_externalize_label = mac_mls_externalize_label, + .mpo_vnode_externalize_label = mac_mls_externalize_label, + .mpo_cred_internalize_label = mac_mls_internalize_label, + .mpo_ifnet_internalize_label = mac_mls_internalize_label, + .mpo_pipe_internalize_label = mac_mls_internalize_label, + .mpo_socket_internalize_label = mac_mls_internalize_label, + .mpo_vnode_internalize_label = mac_mls_internalize_label, + .mpo_devfs_create_device = mac_mls_devfs_create_device, + .mpo_devfs_create_directory = mac_mls_devfs_create_directory, + .mpo_devfs_create_symlink = mac_mls_devfs_create_symlink, + .mpo_mount_create = mac_mls_mount_create, + .mpo_vnode_relabel = mac_mls_vnode_relabel, + .mpo_devfs_update = mac_mls_devfs_update, + .mpo_devfs_vnode_associate = mac_mls_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_mls_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_mls_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_mls_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_mls_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_mls_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache, - .mpo_create_pipe = mac_mls_create_pipe, - .mpo_create_posix_sem = mac_mls_create_posix_sem, - .mpo_create_socket = mac_mls_create_socket, - .mpo_create_socket_from_socket = mac_mls_create_socket_from_socket, - .mpo_relabel_pipe = mac_mls_relabel_pipe, - .mpo_relabel_socket = mac_mls_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_mls_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq, - .mpo_create_fragment = mac_mls_create_fragment, - .mpo_create_ifnet = mac_mls_create_ifnet, - .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, + .mpo_pipe_create = mac_mls_pipe_create, + .mpo_posixsem_create = mac_mls_posixsem_create, + .mpo_socket_create = mac_mls_socket_create, + .mpo_socket_newconn = mac_mls_socket_newconn, + .mpo_pipe_relabel = mac_mls_pipe_relabel, + .mpo_socket_relabel = mac_mls_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_mls_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_mls_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_mls_bpfdesc_create, + .mpo_ipq_reassemble = mac_mls_ipq_reassemble, + .mpo_netinet_fragment = mac_mls_netinet_fragment, + .mpo_ifnet_create = mac_mls_ifnet_create, + .mpo_inpcb_create = mac_mls_inpcb_create, .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb, - .mpo_create_ipq = mac_mls_create_ipq, - .mpo_create_sysv_msgmsg = mac_mls_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_mls_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_mls_create_sysv_sem, - .mpo_create_sysv_shm = mac_mls_create_sysv_shm, - .mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb, + .mpo_ipq_create = mac_mls_ipq_create, + .mpo_sysvmsg_create = mac_mls_sysvmsg_create, + .mpo_sysvmsq_create = mac_mls_sysvmsq_create, + .mpo_sysvsem_create = mac_mls_sysvsem_create, + .mpo_sysvshm_create = mac_mls_sysvshm_create, + .mpo_inpcb_create_mbuf = mac_mls_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer, - .mpo_fragment_match = mac_mls_fragment_match, - .mpo_relabel_ifnet = mac_mls_relabel_ifnet, - .mpo_update_ipq = mac_mls_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_mls_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_mls_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_mls_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_mls_mbuf_create_netlayer, + .mpo_ipq_match = mac_mls_ipq_match, + .mpo_ifnet_relabel = mac_mls_ifnet_relabel, + .mpo_ipq_update = mac_mls_ipq_update, .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, - .mpo_create_proc0 = mac_mls_create_proc0, - .mpo_create_proc1 = mac_mls_create_proc1, - .mpo_relabel_cred = mac_mls_relabel_cred, - .mpo_cleanup_sysv_msgmsg = mac_mls_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_mls_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_mls_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_mls_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_mls_check_cred_relabel, - .mpo_check_cred_visible = mac_mls_check_cred_visible, - .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_mls_check_inpcb_deliver, - .mpo_check_sysv_msgrcv = mac_mls_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_mls_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_mls_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_mls_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_mls_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_mls_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_mls_check_sysv_semctl, - .mpo_check_sysv_semget = mac_mls_check_sysv_semget, - .mpo_check_sysv_semop = mac_mls_check_sysv_semop, - .mpo_check_sysv_shmat = mac_mls_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_mls_check_sysv_shmctl, - .mpo_check_sysv_shmget = mac_mls_check_sysv_shmget, - .mpo_check_mount_stat = mac_mls_check_mount_stat, - .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_mls_check_pipe_poll, - .mpo_check_pipe_read = mac_mls_check_pipe_read, - .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel, - .mpo_check_pipe_stat = mac_mls_check_pipe_stat, - .mpo_check_pipe_write = mac_mls_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_getvalue = mac_mls_check_posix_sem_rdonly, - .mpo_check_posix_sem_open = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_post = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_unlink = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_wait = mac_mls_check_posix_sem_write, - .mpo_check_proc_debug = mac_mls_check_proc_debug, - .mpo_check_proc_sched = mac_mls_check_proc_sched, - .mpo_check_proc_signal = mac_mls_check_proc_signal, - .mpo_check_socket_deliver = mac_mls_check_socket_deliver, - .mpo_check_socket_relabel = mac_mls_check_socket_relabel, - .mpo_check_socket_visible = mac_mls_check_socket_visible, - .mpo_check_system_acct = mac_mls_check_system_acct, - .mpo_check_system_auditctl = mac_mls_check_system_auditctl, - .mpo_check_system_swapon = mac_mls_check_system_swapon, - .mpo_check_vnode_access = mac_mls_check_vnode_open, - .mpo_check_vnode_chdir = mac_mls_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_mls_check_vnode_chroot, - .mpo_check_vnode_create = mac_mls_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_mls_check_vnode_exec, - .mpo_check_vnode_getacl = mac_mls_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr, - .mpo_check_vnode_link = mac_mls_check_vnode_link, - .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_mls_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_mls_check_vnode_mmap, - .mpo_check_vnode_open = mac_mls_check_vnode_open, - .mpo_check_vnode_poll = mac_mls_check_vnode_poll, - .mpo_check_vnode_read = mac_mls_check_vnode_read, - .mpo_check_vnode_readdir = mac_mls_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_mls_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_mls_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_mls_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_mls_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_mls_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_mls_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_mls_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_mls_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_mls_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_mls_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_mls_check_vnode_stat, - .mpo_check_vnode_unlink = mac_mls_check_vnode_unlink, - .mpo_check_vnode_write = mac_mls_check_vnode_write, + .mpo_proc_create_swapper = mac_mls_proc_create_swapper, + .mpo_proc_create_init = mac_mls_proc_create_init, + .mpo_cred_relabel = mac_mls_cred_relabel, + .mpo_sysvmsg_cleanup = mac_mls_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_mls_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_mls_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_mls_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_mls_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_mls_cred_check_relabel, + .mpo_cred_check_visible = mac_mls_cred_check_visible, + .mpo_ifnet_check_relabel = mac_mls_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_mls_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_mls_inpcb_check_deliver, + .mpo_sysvmsq_check_msgrcv = mac_mls_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_mls_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_mls_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_mls_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_mls_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_mls_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_mls_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_mls_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_mls_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_mls_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_mls_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = mac_mls_sysvshm_check_shmget, + .mpo_mount_check_stat = mac_mls_mount_check_stat, + .mpo_pipe_check_ioctl = mac_mls_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_mls_pipe_check_poll, + .mpo_pipe_check_read = mac_mls_pipe_check_read, + .mpo_pipe_check_relabel = mac_mls_pipe_check_relabel, + .mpo_pipe_check_stat = mac_mls_pipe_check_stat, + .mpo_pipe_check_write = mac_mls_pipe_check_write, + .mpo_posixsem_check_destroy = mac_mls_posixsem_check_write, + .mpo_posixsem_check_getvalue = mac_mls_posixsem_check_rdonly, + .mpo_posixsem_check_open = mac_mls_posixsem_check_write, + .mpo_posixsem_check_post = mac_mls_posixsem_check_write, + .mpo_posixsem_check_unlink = mac_mls_posixsem_check_write, + .mpo_posixsem_check_wait = mac_mls_posixsem_check_write, + .mpo_proc_check_debug = mac_mls_proc_check_debug, + .mpo_proc_check_sched = mac_mls_proc_check_sched, + .mpo_proc_check_signal = mac_mls_proc_check_signal, + .mpo_socket_check_deliver = mac_mls_socket_check_deliver, + .mpo_socket_check_relabel = mac_mls_socket_check_relabel, + .mpo_socket_check_visible = mac_mls_socket_check_visible, + .mpo_system_check_acct = mac_mls_system_check_acct, + .mpo_system_check_auditctl = mac_mls_system_check_auditctl, + .mpo_system_check_swapon = mac_mls_system_check_swapon, + .mpo_vnode_check_access = mac_mls_vnode_check_open, + .mpo_vnode_check_chdir = mac_mls_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_mls_vnode_check_chroot, + .mpo_vnode_check_create = mac_mls_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_mls_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_mls_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_mls_vnode_check_exec, + .mpo_vnode_check_getacl = mac_mls_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_mls_vnode_check_getextattr, + .mpo_vnode_check_link = mac_mls_vnode_check_link, + .mpo_vnode_check_listextattr = mac_mls_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_mls_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_mls_vnode_check_mmap, + .mpo_vnode_check_open = mac_mls_vnode_check_open, + .mpo_vnode_check_poll = mac_mls_vnode_check_poll, + .mpo_vnode_check_read = mac_mls_vnode_check_read, + .mpo_vnode_check_readdir = mac_mls_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_mls_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_mls_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_mls_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_mls_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_mls_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_mls_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_mls_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_mls_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_mls_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_mls_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_mls_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_mls_vnode_check_stat, + .mpo_vnode_check_unlink = mac_mls_vnode_check_unlink, + .mpo_vnode_check_write = mac_mls_vnode_check_write, .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label, - .mpo_create_mbuf_from_firewall = mac_mls_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_mls_mbuf_create_from_firewall, }; MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS", diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index c418d3f..986406a 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -115,21 +119,21 @@ mac_partition_internalize_label(struct label *label, char *element_name, } static void -mac_partition_create_proc0(struct ucred *cred) +mac_partition_proc_create_swapper(struct ucred *cred) { SLOT_SET(cred->cr_label, 0); } static void -mac_partition_create_proc1(struct ucred *cred) +mac_partition_proc_create_init(struct ucred *cred) { SLOT_SET(cred->cr_label, 0); } static void -mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_partition_cred_relabel(struct ucred *cred, struct label *newlabel) { if (SLOT(newlabel) != 0) @@ -153,7 +157,7 @@ label_on_label(struct label *subject, struct label *object) } static int -mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel) { int error; @@ -174,7 +178,7 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { int error; @@ -184,7 +188,7 @@ mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_partition_check_proc_debug(struct ucred *cred, struct proc *p) +mac_partition_proc_check_debug(struct ucred *cred, struct proc *p) { int error; @@ -194,7 +198,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_partition_check_proc_sched(struct ucred *cred, struct proc *p) +mac_partition_proc_check_sched(struct ucred *cred, struct proc *p) { int error; @@ -204,7 +208,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_partition_check_proc_signal(struct ucred *cred, struct proc *p, +mac_partition_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { int error; @@ -215,7 +219,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *p, } static int -mac_partition_check_socket_visible(struct ucred *cred, struct socket *so, +mac_partition_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { int error; @@ -226,7 +230,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *so, } static int -mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -246,21 +250,21 @@ mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp, static struct mac_policy_ops mac_partition_ops = { - .mpo_init_cred_label = mac_partition_init_label, - .mpo_destroy_cred_label = mac_partition_destroy_label, - .mpo_copy_cred_label = mac_partition_copy_label, - .mpo_externalize_cred_label = mac_partition_externalize_label, - .mpo_internalize_cred_label = mac_partition_internalize_label, - .mpo_create_proc0 = mac_partition_create_proc0, - .mpo_create_proc1 = mac_partition_create_proc1, - .mpo_relabel_cred = mac_partition_relabel_cred, - .mpo_check_cred_relabel = mac_partition_check_cred_relabel, - .mpo_check_cred_visible = mac_partition_check_cred_visible, - .mpo_check_proc_debug = mac_partition_check_proc_debug, - .mpo_check_proc_sched = mac_partition_check_proc_sched, - .mpo_check_proc_signal = mac_partition_check_proc_signal, - .mpo_check_socket_visible = mac_partition_check_socket_visible, - .mpo_check_vnode_exec = mac_partition_check_vnode_exec, + .mpo_cred_init_label = mac_partition_init_label, + .mpo_cred_destroy_label = mac_partition_destroy_label, + .mpo_cred_copy_label = mac_partition_copy_label, + .mpo_cred_externalize_label = mac_partition_externalize_label, + .mpo_cred_internalize_label = mac_partition_internalize_label, + .mpo_proc_create_swapper = mac_partition_proc_create_swapper, + .mpo_proc_create_init = mac_partition_proc_create_init, + .mpo_cred_relabel = mac_partition_cred_relabel, + .mpo_cred_check_relabel = mac_partition_cred_check_relabel, + .mpo_cred_check_visible = mac_partition_cred_check_visible, + .mpo_proc_check_debug = mac_partition_proc_check_debug, + .mpo_proc_check_sched = mac_partition_proc_check_sched, + .mpo_proc_check_signal = mac_partition_proc_check_signal, + .mpo_socket_check_visible = mac_partition_socket_check_visible, + .mpo_vnode_check_exec = mac_partition_vnode_check_exec, }; MAC_POLICY_SET(&mac_partition_ops, mac_partition, "TrustedBSD MAC/Partition", diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c index 633f606..0d4428d 100644 --- a/sys/security/mac_portacl/mac_portacl.c +++ b/sys/security/mac_portacl/mac_portacl.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -430,7 +434,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port) * the source port is left up to the IP stack to determine automatically. */ static int -check_socket_bind(struct ucred *cred, struct socket *so, +socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { struct sockaddr_in *sin; @@ -482,7 +486,7 @@ static struct mac_policy_ops mac_portacl_ops = { .mpo_destroy = destroy, .mpo_init = init, - .mpo_check_socket_bind = check_socket_bind, + .mpo_socket_check_bind = socket_check_bind, }; MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl, diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c index 1e5e4df..8681b86 100644 --- a/sys/security/mac_seeotheruids/mac_seeotheruids.c +++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -122,14 +126,14 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2) } static int -mac_seeotheruids_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { return (mac_seeotheruids_check(cr1, cr2)); } static int -mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p, +mac_seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { @@ -137,21 +141,21 @@ mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p, } static int -mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *p) +mac_seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p) { return (mac_seeotheruids_check(cred, p->p_ucred)); } static int -mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *p) +mac_seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p) { return (mac_seeotheruids_check(cred, p->p_ucred)); } static int -mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so, +mac_seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -160,11 +164,11 @@ mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so, static struct mac_policy_ops mac_seeotheruids_ops = { - .mpo_check_cred_visible = mac_seeotheruids_check_cred_visible, - .mpo_check_proc_debug = mac_seeotheruids_check_proc_debug, - .mpo_check_proc_sched = mac_seeotheruids_check_proc_sched, - .mpo_check_proc_signal = mac_seeotheruids_check_proc_signal, - .mpo_check_socket_visible = mac_seeotheruids_check_socket_visible, + .mpo_cred_check_visible = mac_seeotheruids_cred_check_visible, + .mpo_proc_check_debug = mac_seeotheruids_proc_check_debug, + .mpo_proc_check_sched = mac_seeotheruids_proc_check_sched, + .mpo_proc_check_signal = mac_seeotheruids_proc_check_signal, + .mpo_socket_check_visible = mac_seeotheruids_socket_check_visible, }; MAC_POLICY_SET(&mac_seeotheruids_ops, mac_seeotheruids, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 8fa9a0d..56a0953 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -163,7 +163,7 @@ stub_internalize_label(struct label *label, char *element_name, * a lot like file system objects. */ static void -stub_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +stub_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -171,7 +171,7 @@ stub_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -stub_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +stub_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { @@ -179,7 +179,7 @@ stub_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -stub_associate_vnode_singlelabel(struct mount *mp, +stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { @@ -192,21 +192,21 @@ stub_associate_nfsd_label(struct ucred *cred) } static void -stub_create_devfs_device(struct ucred *cred, struct mount *mp, +stub_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { } static void -stub_create_devfs_directory(struct mount *mp, char *dirname, +stub_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { } static void -stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, +stub_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -214,7 +214,7 @@ stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static int -stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, +stub_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -223,21 +223,21 @@ stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static void -stub_create_mount(struct ucred *cred, struct mount *mp, +stub_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { } static void -stub_relabel_vnode(struct ucred *cred, struct vnode *vp, +stub_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { } static int -stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +stub_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { @@ -245,7 +245,7 @@ stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } static void -stub_update_devfs(struct mount *mp, struct devfs_dirent *de, +stub_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -255,63 +255,63 @@ stub_update_devfs(struct mount *mp, struct devfs_dirent *de, * Labeling event operations: IPC object. */ static void -stub_create_mbuf_from_socket(struct socket *so, struct label *solabel, +stub_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_socket(struct ucred *cred, struct socket *so, +stub_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { } static void -stub_create_pipe(struct ucred *cred, struct pipepair *pp, +stub_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { } static void -stub_create_posix_sem(struct ucred *cred, struct ksem *ks, +stub_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { } static void -stub_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +stub_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { } static void -stub_relabel_socket(struct ucred *cred, struct socket *so, +stub_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { } static void -stub_relabel_pipe(struct ucred *cred, struct pipepair *pp, +stub_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { } static void -stub_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +stub_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { } static void -stub_set_socket_peer_from_socket(struct socket *oldso, +stub_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -322,34 +322,34 @@ stub_set_socket_peer_from_socket(struct socket *oldso, * Labeling event operations: network objects. */ static void -stub_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +stub_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { } static void -stub_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +stub_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, +stub_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { } static void -stub_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +stub_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { } static void -stub_create_inpcb_from_socket(struct socket *so, struct label *solabel, +stub_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { @@ -362,42 +362,42 @@ stub_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) } static void -stub_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { } static void -stub_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { } static void -stub_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { } static void -stub_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmalabel) { } static void -stub_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { } static void -stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +stub_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { @@ -418,21 +418,21 @@ stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, } static void -stub_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +stub_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +stub_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -440,20 +440,20 @@ stub_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -stub_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +stub_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { } static void -stub_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +stub_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { } static int -stub_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -461,26 +461,26 @@ stub_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -stub_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) +stub_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) { } static void -stub_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) +stub_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) { } static void -stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +stub_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { } static void -stub_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -497,7 +497,7 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel, * Labeling event operations: processes. */ static void -stub_execve_transition(struct ucred *old, struct ucred *new, +stub_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -505,7 +505,7 @@ stub_execve_transition(struct ucred *old, struct ucred *new, } static int -stub_execve_will_transition(struct ucred *old, struct vnode *vp, +stub_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -514,19 +514,19 @@ stub_execve_will_transition(struct ucred *old, struct vnode *vp, } static void -stub_create_proc0(struct ucred *cred) +stub_proc_create_swapper(struct ucred *cred) { } static void -stub_create_proc1(struct ucred *cred) +stub_proc_create_init(struct ucred *cred) { } static void -stub_relabel_cred(struct ucred *cred, struct label *newlabel) +stub_cred_relabel(struct ucred *cred, struct label *newlabel) { } @@ -541,25 +541,25 @@ stub_thread_userret(struct thread *td) * Label cleanup/flush operations */ static void -stub_cleanup_sysv_msgmsg(struct label *msglabel) +stub_sysvmsg_cleanup(struct label *msglabel) { } static void -stub_cleanup_sysv_msgqueue(struct label *msqlabel) +stub_sysvmsq_cleanup(struct label *msqlabel) { } static void -stub_cleanup_sysv_sem(struct label *semalabel) +stub_sysvsem_cleanup(struct label *semalabel) { } static void -stub_cleanup_sysv_shm(struct label *shmlabel) +stub_sysvshm_cleanup(struct label *shmlabel) { } @@ -568,7 +568,7 @@ stub_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -stub_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +stub_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { @@ -576,21 +576,21 @@ stub_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -stub_check_cred_relabel(struct ucred *cred, struct label *newlabel) +stub_cred_check_relabel(struct ucred *cred, struct label *newlabel) { return (0); } static int -stub_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { return (0); } static int -stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +stub_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { @@ -598,7 +598,7 @@ stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -stub_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +stub_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { @@ -606,7 +606,7 @@ stub_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +stub_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { @@ -614,7 +614,7 @@ stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -623,7 +623,7 @@ stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, } static int -stub_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -632,7 +632,7 @@ stub_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, static int -stub_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -641,7 +641,7 @@ stub_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, static int -stub_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -650,7 +650,7 @@ stub_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -658,7 +658,7 @@ stub_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -stub_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -667,7 +667,7 @@ stub_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { @@ -676,7 +676,7 @@ stub_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { @@ -684,7 +684,7 @@ stub_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -stub_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel) { @@ -693,7 +693,7 @@ stub_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, static int -stub_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) { @@ -701,7 +701,7 @@ stub_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -stub_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { @@ -709,7 +709,7 @@ stub_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { @@ -717,7 +717,7 @@ stub_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel) { @@ -726,7 +726,7 @@ stub_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, static int -stub_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { @@ -734,35 +734,35 @@ stub_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_kenv_dump(struct ucred *cred) +stub_kenv_check_dump(struct ucred *cred) { return (0); } static int -stub_check_kenv_get(struct ucred *cred, char *name) +stub_kenv_check_get(struct ucred *cred, char *name) { return (0); } static int -stub_check_kenv_set(struct ucred *cred, char *name, char *value) +stub_kenv_check_set(struct ucred *cred, char *name, char *value) { return (0); } static int -stub_check_kenv_unset(struct ucred *cred, char *name) +stub_kenv_check_unset(struct ucred *cred, char *name) { return (0); } static int -stub_check_kld_load(struct ucred *cred, struct vnode *vp, +stub_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -770,14 +770,14 @@ stub_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -stub_check_kld_stat(struct ucred *cred) +stub_kld_check_stat(struct ucred *cred) { return (0); } static int -stub_check_mount_stat(struct ucred *cred, struct mount *mp, +stub_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { @@ -785,7 +785,7 @@ stub_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -793,7 +793,7 @@ stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -801,7 +801,7 @@ stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_read(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -809,7 +809,7 @@ stub_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { @@ -817,7 +817,7 @@ stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -825,7 +825,7 @@ stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_write(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -833,7 +833,7 @@ stub_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_destroy(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -841,7 +841,7 @@ stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -849,7 +849,7 @@ stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_open(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_open(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -857,7 +857,7 @@ stub_check_posix_sem_open(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_post(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_post(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -865,7 +865,7 @@ stub_check_posix_sem_post(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -873,7 +873,7 @@ stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_wait(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -881,84 +881,84 @@ stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ks, } static int -stub_check_proc_debug(struct ucred *cred, struct proc *p) +stub_proc_check_debug(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_sched(struct ucred *cred, struct proc *p) +stub_proc_check_sched(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { return (0); } static int -stub_check_proc_wait(struct ucred *cred, struct proc *p) +stub_proc_check_wait(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { return (0); } static int -stub_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { return (0); } static int -stub_check_proc_setauid(struct ucred *cred, uid_t auid) +stub_proc_check_setauid(struct ucred *cred, uid_t auid) { return (0); } static int -stub_check_proc_setuid(struct ucred *cred, uid_t uid) +stub_proc_check_setuid(struct ucred *cred, uid_t uid) { return (0); } static int -stub_check_proc_seteuid(struct ucred *cred, uid_t euid) +stub_proc_check_seteuid(struct ucred *cred, uid_t euid) { return (0); } static int -stub_check_proc_setgid(struct ucred *cred, gid_t gid) +stub_proc_check_setgid(struct ucred *cred, gid_t gid) { return (0); } static int -stub_check_proc_setegid(struct ucred *cred, gid_t egid) +stub_proc_check_setegid(struct ucred *cred, gid_t egid) { return (0); } static int -stub_check_proc_setgroups(struct ucred *cred, int ngroups, +stub_proc_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) { @@ -966,21 +966,21 @@ stub_check_proc_setgroups(struct ucred *cred, int ngroups, } static int -stub_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) { return (0); } static int -stub_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) { return (0); } static int -stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, +stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { @@ -988,7 +988,7 @@ stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, } static int -stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, +stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { @@ -996,7 +996,7 @@ stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, } static int -stub_check_socket_accept(struct ucred *cred, struct socket *so, +stub_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1004,7 +1004,7 @@ stub_check_socket_accept(struct ucred *cred, struct socket *so, } static int -stub_check_socket_bind(struct ucred *cred, struct socket *so, +stub_socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { @@ -1012,7 +1012,7 @@ stub_check_socket_bind(struct ucred *cred, struct socket *so, } static int -stub_check_socket_connect(struct ucred *cred, struct socket *so, +stub_socket_check_connect(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { @@ -1020,14 +1020,14 @@ stub_check_socket_connect(struct ucred *cred, struct socket *so, } static int -stub_check_socket_create(struct ucred *cred, int domain, int type, int proto) +stub_socket_check_create(struct ucred *cred, int domain, int type, int proto) { return (0); } static int -stub_check_socket_deliver(struct socket *so, struct label *solabel, +stub_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { @@ -1035,7 +1035,7 @@ stub_check_socket_deliver(struct socket *so, struct label *solabel, } static int -stub_check_socket_listen(struct ucred *cred, struct socket *so, +stub_socket_check_listen(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1043,7 +1043,7 @@ stub_check_socket_listen(struct ucred *cred, struct socket *so, } static int -stub_check_socket_poll(struct ucred *cred, struct socket *so, +stub_socket_check_poll(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1051,7 +1051,7 @@ stub_check_socket_poll(struct ucred *cred, struct socket *so, } static int -stub_check_socket_receive(struct ucred *cred, struct socket *so, +stub_socket_check_receive(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1059,14 +1059,14 @@ stub_check_socket_receive(struct ucred *cred, struct socket *so, } static int -stub_check_socket_relabel(struct ucred *cred, struct socket *so, +stub_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { return (0); } static int -stub_check_socket_send(struct ucred *cred, struct socket *so, +stub_socket_check_send(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1074,7 +1074,7 @@ stub_check_socket_send(struct ucred *cred, struct socket *so, } static int -stub_check_socket_stat(struct ucred *cred, struct socket *so, +stub_socket_check_stat(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1082,7 +1082,7 @@ stub_check_socket_stat(struct ucred *cred, struct socket *so, } static int -stub_check_socket_visible(struct ucred *cred, struct socket *so, +stub_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1090,7 +1090,7 @@ stub_check_socket_visible(struct ucred *cred, struct socket *so, } static int -stub_check_system_acct(struct ucred *cred, struct vnode *vp, +stub_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1098,14 +1098,14 @@ stub_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_audit(struct ucred *cred, void *record, int length) +stub_system_check_audit(struct ucred *cred, void *record, int length) { return (0); } static int -stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, +stub_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1113,21 +1113,21 @@ stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_auditon(struct ucred *cred, int cmd) +stub_system_check_auditon(struct ucred *cred, int cmd) { return (0); } static int -stub_check_system_reboot(struct ucred *cred, int how) +stub_system_check_reboot(struct ucred *cred, int how) { return (0); } static int -stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, +stub_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1135,7 +1135,7 @@ stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_swapon(struct ucred *cred, struct vnode *vp, +stub_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1143,7 +1143,7 @@ stub_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +stub_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { @@ -1151,7 +1151,7 @@ stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -stub_check_vnode_access(struct ucred *cred, struct vnode *vp, +stub_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -1159,7 +1159,7 @@ stub_check_vnode_access(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -1167,7 +1167,7 @@ stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -1175,7 +1175,7 @@ stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { @@ -1183,7 +1183,7 @@ stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -1191,7 +1191,7 @@ stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { @@ -1199,7 +1199,7 @@ stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, +stub_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -1208,7 +1208,7 @@ stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -1216,7 +1216,7 @@ stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -1225,7 +1225,7 @@ stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1234,7 +1234,7 @@ stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -1242,7 +1242,7 @@ stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { @@ -1250,7 +1250,7 @@ stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { @@ -1258,14 +1258,14 @@ stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static void -stub_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, struct label *vplabel, int *prot) { } static int -stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot) { @@ -1273,7 +1273,7 @@ stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_open(struct ucred *cred, struct vnode *vp, +stub_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -1281,7 +1281,7 @@ stub_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1289,7 +1289,7 @@ stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1297,7 +1297,7 @@ stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, +stub_vnode_check_readdir(struct ucred *cred, struct vnode *vp, struct label *dvplabel) { @@ -1305,7 +1305,7 @@ stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +stub_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1313,7 +1313,7 @@ stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +stub_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { @@ -1321,7 +1321,7 @@ stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1330,7 +1330,7 @@ stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -1339,7 +1339,7 @@ stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +stub_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1347,7 +1347,7 @@ stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { @@ -1355,7 +1355,7 @@ stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -1364,7 +1364,7 @@ stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { @@ -1372,7 +1372,7 @@ stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { @@ -1380,7 +1380,7 @@ stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { @@ -1388,7 +1388,7 @@ stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { @@ -1396,7 +1396,7 @@ stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1404,7 +1404,7 @@ stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1413,7 +1413,7 @@ stub_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1439,219 +1439,219 @@ static struct mac_policy_ops mac_stub_ops = .mpo_destroy = stub_destroy, .mpo_init = stub_init, .mpo_syscall = stub_syscall, - .mpo_init_bpfdesc_label = stub_init_label, - .mpo_init_cred_label = stub_init_label, - .mpo_init_devfs_label = stub_init_label, - .mpo_init_ifnet_label = stub_init_label, - .mpo_init_inpcb_label = stub_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = stub_init_label, - .mpo_init_sysv_msgqueue_label = stub_init_label, - .mpo_init_sysv_sem_label = stub_init_label, - .mpo_init_sysv_shm_label = stub_init_label, - .mpo_init_ipq_label = stub_init_label_waitcheck, - .mpo_init_mbuf_label = stub_init_label_waitcheck, - .mpo_init_mount_label = stub_init_label, - .mpo_init_pipe_label = stub_init_label, - .mpo_init_posix_sem_label = stub_init_label, - .mpo_init_socket_label = stub_init_label_waitcheck, - .mpo_init_socket_peer_label = stub_init_label_waitcheck, - .mpo_init_vnode_label = stub_init_label, - .mpo_destroy_bpfdesc_label = stub_destroy_label, - .mpo_destroy_cred_label = stub_destroy_label, - .mpo_destroy_devfs_label = stub_destroy_label, - .mpo_destroy_ifnet_label = stub_destroy_label, - .mpo_destroy_inpcb_label = stub_destroy_label, - .mpo_destroy_sysv_msgmsg_label = stub_destroy_label, - .mpo_destroy_sysv_msgqueue_label = stub_destroy_label, - .mpo_destroy_sysv_sem_label = stub_destroy_label, - .mpo_destroy_sysv_shm_label = stub_destroy_label, - .mpo_destroy_ipq_label = stub_destroy_label, - .mpo_destroy_mbuf_label = stub_destroy_label, - .mpo_destroy_mount_label = stub_destroy_label, - .mpo_destroy_pipe_label = stub_destroy_label, - .mpo_destroy_posix_sem_label = stub_destroy_label, - .mpo_destroy_socket_label = stub_destroy_label, - .mpo_destroy_socket_peer_label = stub_destroy_label, - .mpo_destroy_vnode_label = stub_destroy_label, - .mpo_copy_cred_label = stub_copy_label, - .mpo_copy_ifnet_label = stub_copy_label, - .mpo_copy_mbuf_label = stub_copy_label, - .mpo_copy_pipe_label = stub_copy_label, - .mpo_copy_socket_label = stub_copy_label, - .mpo_copy_vnode_label = stub_copy_label, - .mpo_externalize_cred_label = stub_externalize_label, - .mpo_externalize_ifnet_label = stub_externalize_label, - .mpo_externalize_pipe_label = stub_externalize_label, - .mpo_externalize_socket_label = stub_externalize_label, - .mpo_externalize_socket_peer_label = stub_externalize_label, - .mpo_externalize_vnode_label = stub_externalize_label, - .mpo_internalize_cred_label = stub_internalize_label, - .mpo_internalize_ifnet_label = stub_internalize_label, - .mpo_internalize_pipe_label = stub_internalize_label, - .mpo_internalize_socket_label = stub_internalize_label, - .mpo_internalize_vnode_label = stub_internalize_label, - .mpo_associate_vnode_devfs = stub_associate_vnode_devfs, - .mpo_associate_vnode_extattr = stub_associate_vnode_extattr, + .mpo_bpfdesc_init_label = stub_init_label, + .mpo_cred_init_label = stub_init_label, + .mpo_devfs_init_label = stub_init_label, + .mpo_ifnet_init_label = stub_init_label, + .mpo_inpcb_init_label = stub_init_label_waitcheck, + .mpo_sysvmsg_init_label = stub_init_label, + .mpo_sysvmsq_init_label = stub_init_label, + .mpo_sysvsem_init_label = stub_init_label, + .mpo_sysvshm_init_label = stub_init_label, + .mpo_ipq_init_label = stub_init_label_waitcheck, + .mpo_mbuf_init_label = stub_init_label_waitcheck, + .mpo_mount_init_label = stub_init_label, + .mpo_pipe_init_label = stub_init_label, + .mpo_posixsem_init_label = stub_init_label, + .mpo_socket_init_label = stub_init_label_waitcheck, + .mpo_socketpeer_init_label = stub_init_label_waitcheck, + .mpo_vnode_init_label = stub_init_label, + .mpo_bpfdesc_destroy_label = stub_destroy_label, + .mpo_cred_destroy_label = stub_destroy_label, + .mpo_devfs_destroy_label = stub_destroy_label, + .mpo_ifnet_destroy_label = stub_destroy_label, + .mpo_inpcb_destroy_label = stub_destroy_label, + .mpo_sysvmsg_destroy_label = stub_destroy_label, + .mpo_sysvmsq_destroy_label = stub_destroy_label, + .mpo_sysvsem_destroy_label = stub_destroy_label, + .mpo_sysvshm_destroy_label = stub_destroy_label, + .mpo_ipq_destroy_label = stub_destroy_label, + .mpo_mbuf_destroy_label = stub_destroy_label, + .mpo_mount_destroy_label = stub_destroy_label, + .mpo_pipe_destroy_label = stub_destroy_label, + .mpo_posixsem_destroy_label = stub_destroy_label, + .mpo_socket_destroy_label = stub_destroy_label, + .mpo_socketpeer_destroy_label = stub_destroy_label, + .mpo_vnode_destroy_label = stub_destroy_label, + .mpo_cred_copy_label = stub_copy_label, + .mpo_ifnet_copy_label = stub_copy_label, + .mpo_mbuf_copy_label = stub_copy_label, + .mpo_pipe_copy_label = stub_copy_label, + .mpo_socket_copy_label = stub_copy_label, + .mpo_vnode_copy_label = stub_copy_label, + .mpo_cred_externalize_label = stub_externalize_label, + .mpo_ifnet_externalize_label = stub_externalize_label, + .mpo_pipe_externalize_label = stub_externalize_label, + .mpo_socket_externalize_label = stub_externalize_label, + .mpo_socketpeer_externalize_label = stub_externalize_label, + .mpo_vnode_externalize_label = stub_externalize_label, + .mpo_cred_internalize_label = stub_internalize_label, + .mpo_ifnet_internalize_label = stub_internalize_label, + .mpo_pipe_internalize_label = stub_internalize_label, + .mpo_socket_internalize_label = stub_internalize_label, + .mpo_vnode_internalize_label = stub_internalize_label, + .mpo_devfs_vnode_associate = stub_devfs_vnode_associate, + .mpo_vnode_associate_extattr = stub_vnode_associate_extattr, .mpo_associate_nfsd_label = stub_associate_nfsd_label, - .mpo_associate_vnode_singlelabel = stub_associate_vnode_singlelabel, - .mpo_create_devfs_device = stub_create_devfs_device, - .mpo_create_devfs_directory = stub_create_devfs_directory, - .mpo_create_devfs_symlink = stub_create_devfs_symlink, - .mpo_create_sysv_msgmsg = stub_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = stub_create_sysv_msgqueue, - .mpo_create_sysv_sem = stub_create_sysv_sem, - .mpo_create_sysv_shm = stub_create_sysv_shm, - .mpo_create_vnode_extattr = stub_create_vnode_extattr, - .mpo_create_mount = stub_create_mount, - .mpo_relabel_vnode = stub_relabel_vnode, - .mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr, - .mpo_update_devfs = stub_update_devfs, - .mpo_create_mbuf_from_socket = stub_create_mbuf_from_socket, - .mpo_create_pipe = stub_create_pipe, - .mpo_create_posix_sem = stub_create_posix_sem, - .mpo_create_socket = stub_create_socket, - .mpo_create_socket_from_socket = stub_create_socket_from_socket, - .mpo_relabel_pipe = stub_relabel_pipe, - .mpo_relabel_socket = stub_relabel_socket, - .mpo_set_socket_peer_from_mbuf = stub_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = stub_set_socket_peer_from_socket, - .mpo_create_bpfdesc = stub_create_bpfdesc, - .mpo_create_ifnet = stub_create_ifnet, - .mpo_create_inpcb_from_socket = stub_create_inpcb_from_socket, - .mpo_create_ipq = stub_create_ipq, - .mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq, - .mpo_create_fragment = stub_create_fragment, - .mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb, + .mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel, + .mpo_devfs_create_device = stub_devfs_create_device, + .mpo_devfs_create_directory = stub_devfs_create_directory, + .mpo_devfs_create_symlink = stub_devfs_create_symlink, + .mpo_sysvmsg_create = stub_sysvmsg_create, + .mpo_sysvmsq_create = stub_sysvmsq_create, + .mpo_sysvsem_create = stub_sysvsem_create, + .mpo_sysvshm_create = stub_sysvshm_create, + .mpo_vnode_create_extattr = stub_vnode_create_extattr, + .mpo_mount_create = stub_mount_create, + .mpo_vnode_relabel = stub_vnode_relabel, + .mpo_vnode_setlabel_extattr = stub_vnode_setlabel_extattr, + .mpo_devfs_update = stub_devfs_update, + .mpo_socket_create_mbuf = stub_socket_create_mbuf, + .mpo_pipe_create = stub_pipe_create, + .mpo_posixsem_create = stub_posixsem_create, + .mpo_socket_create = stub_socket_create, + .mpo_socket_newconn = stub_socket_newconn, + .mpo_pipe_relabel = stub_pipe_relabel, + .mpo_socket_relabel = stub_socket_relabel, + .mpo_socketpeer_set_from_mbuf = stub_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = stub_socketpeer_set_from_socket, + .mpo_bpfdesc_create = stub_bpfdesc_create, + .mpo_ifnet_create = stub_ifnet_create, + .mpo_inpcb_create = stub_inpcb_create, + .mpo_ipq_create = stub_ipq_create, + .mpo_ipq_reassemble = stub_ipq_reassemble, + .mpo_netinet_fragment = stub_netinet_fragment, + .mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = stub_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = stub_create_mbuf_netlayer, - .mpo_create_mbuf_from_firewall = stub_create_mbuf_from_firewall, - .mpo_fragment_match = stub_fragment_match, - .mpo_reflect_mbuf_icmp = stub_reflect_mbuf_icmp, - .mpo_reflect_mbuf_tcp = stub_reflect_mbuf_tcp, - .mpo_relabel_ifnet = stub_relabel_ifnet, - .mpo_update_ipq = stub_update_ipq, + .mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = stub_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = stub_mbuf_create_netlayer, + .mpo_mbuf_create_from_firewall = stub_mbuf_create_from_firewall, + .mpo_ipq_match = stub_ipq_match, + .mpo_netinet_icmp_reply = stub_netinet_icmp_reply, + .mpo_netinet_tcp_reply = stub_netinet_tcp_reply, + .mpo_ifnet_relabel = stub_ifnet_relabel, + .mpo_ipq_update = stub_ipq_update, .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, - .mpo_execve_transition = stub_execve_transition, - .mpo_execve_will_transition = stub_execve_will_transition, - .mpo_create_proc0 = stub_create_proc0, - .mpo_create_proc1 = stub_create_proc1, - .mpo_relabel_cred = stub_relabel_cred, + .mpo_vnode_execve_transition = stub_vnode_execve_transition, + .mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition, + .mpo_proc_create_swapper = stub_proc_create_swapper, + .mpo_proc_create_init = stub_proc_create_init, + .mpo_cred_relabel= stub_cred_relabel, .mpo_thread_userret = stub_thread_userret, - .mpo_cleanup_sysv_msgmsg = stub_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = stub_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = stub_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = stub_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = stub_check_bpfdesc_receive, - .mpo_check_cred_relabel = stub_check_cred_relabel, - .mpo_check_cred_visible = stub_check_cred_visible, - .mpo_check_ifnet_relabel = stub_check_ifnet_relabel, - .mpo_check_ifnet_transmit = stub_check_ifnet_transmit, - .mpo_check_inpcb_deliver = stub_check_inpcb_deliver, - .mpo_check_sysv_msgmsq = stub_check_sysv_msgmsq, - .mpo_check_sysv_msgrcv = stub_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = stub_check_sysv_msgrmid, - .mpo_check_sysv_msqget = stub_check_sysv_msqget, - .mpo_check_sysv_msqsnd = stub_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = stub_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = stub_check_sysv_msqctl, - .mpo_check_sysv_semctl = stub_check_sysv_semctl, - .mpo_check_sysv_semget = stub_check_sysv_semget, - .mpo_check_sysv_semop = stub_check_sysv_semop, - .mpo_check_sysv_shmat = stub_check_sysv_shmat, - .mpo_check_sysv_shmctl = stub_check_sysv_shmctl, - .mpo_check_sysv_shmdt = stub_check_sysv_shmdt, - .mpo_check_sysv_shmget = stub_check_sysv_shmget, - .mpo_check_kenv_dump = stub_check_kenv_dump, - .mpo_check_kenv_get = stub_check_kenv_get, - .mpo_check_kenv_set = stub_check_kenv_set, - .mpo_check_kenv_unset = stub_check_kenv_unset, - .mpo_check_kld_load = stub_check_kld_load, - .mpo_check_kld_stat = stub_check_kld_stat, - .mpo_check_mount_stat = stub_check_mount_stat, - .mpo_check_pipe_ioctl = stub_check_pipe_ioctl, - .mpo_check_pipe_poll = stub_check_pipe_poll, - .mpo_check_pipe_read = stub_check_pipe_read, - .mpo_check_pipe_relabel = stub_check_pipe_relabel, - .mpo_check_pipe_stat = stub_check_pipe_stat, - .mpo_check_pipe_write = stub_check_pipe_write, - .mpo_check_posix_sem_destroy = stub_check_posix_sem_destroy, - .mpo_check_posix_sem_getvalue = stub_check_posix_sem_getvalue, - .mpo_check_posix_sem_open = stub_check_posix_sem_open, - .mpo_check_posix_sem_post = stub_check_posix_sem_post, - .mpo_check_posix_sem_unlink = stub_check_posix_sem_unlink, - .mpo_check_posix_sem_wait = stub_check_posix_sem_wait, - .mpo_check_proc_debug = stub_check_proc_debug, - .mpo_check_proc_sched = stub_check_proc_sched, - .mpo_check_proc_setaudit = stub_check_proc_setaudit, - .mpo_check_proc_setaudit_addr = stub_check_proc_setaudit_addr, - .mpo_check_proc_setauid = stub_check_proc_setauid, - .mpo_check_proc_setuid = stub_check_proc_setuid, - .mpo_check_proc_seteuid = stub_check_proc_seteuid, - .mpo_check_proc_setgid = stub_check_proc_setgid, - .mpo_check_proc_setegid = stub_check_proc_setegid, - .mpo_check_proc_setgroups = stub_check_proc_setgroups, - .mpo_check_proc_setreuid = stub_check_proc_setreuid, - .mpo_check_proc_setregid = stub_check_proc_setregid, - .mpo_check_proc_setresuid = stub_check_proc_setresuid, - .mpo_check_proc_setresgid = stub_check_proc_setresgid, - .mpo_check_proc_signal = stub_check_proc_signal, - .mpo_check_proc_wait = stub_check_proc_wait, - .mpo_check_socket_accept = stub_check_socket_accept, - .mpo_check_socket_bind = stub_check_socket_bind, - .mpo_check_socket_connect = stub_check_socket_connect, - .mpo_check_socket_create = stub_check_socket_create, - .mpo_check_socket_deliver = stub_check_socket_deliver, - .mpo_check_socket_listen = stub_check_socket_listen, - .mpo_check_socket_poll = stub_check_socket_poll, - .mpo_check_socket_receive = stub_check_socket_receive, - .mpo_check_socket_relabel = stub_check_socket_relabel, - .mpo_check_socket_send = stub_check_socket_send, - .mpo_check_socket_stat = stub_check_socket_stat, - .mpo_check_socket_visible = stub_check_socket_visible, - .mpo_check_system_acct = stub_check_system_acct, - .mpo_check_system_audit = stub_check_system_audit, - .mpo_check_system_auditctl = stub_check_system_auditctl, - .mpo_check_system_auditon = stub_check_system_auditon, - .mpo_check_system_reboot = stub_check_system_reboot, - .mpo_check_system_swapoff = stub_check_system_swapoff, - .mpo_check_system_swapon = stub_check_system_swapon, - .mpo_check_system_sysctl = stub_check_system_sysctl, - .mpo_check_vnode_access = stub_check_vnode_access, - .mpo_check_vnode_chdir = stub_check_vnode_chdir, - .mpo_check_vnode_chroot = stub_check_vnode_chroot, - .mpo_check_vnode_create = stub_check_vnode_create, - .mpo_check_vnode_deleteacl = stub_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = stub_check_vnode_deleteextattr, - .mpo_check_vnode_exec = stub_check_vnode_exec, - .mpo_check_vnode_getacl = stub_check_vnode_getacl, - .mpo_check_vnode_getextattr = stub_check_vnode_getextattr, - .mpo_check_vnode_link = stub_check_vnode_link, - .mpo_check_vnode_listextattr = stub_check_vnode_listextattr, - .mpo_check_vnode_lookup = stub_check_vnode_lookup, - .mpo_check_vnode_mmap = stub_check_vnode_mmap, - .mpo_check_vnode_mmap_downgrade = stub_check_vnode_mmap_downgrade, - .mpo_check_vnode_mprotect = stub_check_vnode_mprotect, - .mpo_check_vnode_open = stub_check_vnode_open, - .mpo_check_vnode_poll = stub_check_vnode_poll, - .mpo_check_vnode_read = stub_check_vnode_read, - .mpo_check_vnode_readdir = stub_check_vnode_readdir, - .mpo_check_vnode_readlink = stub_check_vnode_readlink, - .mpo_check_vnode_relabel = stub_check_vnode_relabel, - .mpo_check_vnode_rename_from = stub_check_vnode_rename_from, - .mpo_check_vnode_rename_to = stub_check_vnode_rename_to, - .mpo_check_vnode_revoke = stub_check_vnode_revoke, - .mpo_check_vnode_setacl = stub_check_vnode_setacl, - .mpo_check_vnode_setextattr = stub_check_vnode_setextattr, - .mpo_check_vnode_setflags = stub_check_vnode_setflags, - .mpo_check_vnode_setmode = stub_check_vnode_setmode, - .mpo_check_vnode_setowner = stub_check_vnode_setowner, - .mpo_check_vnode_setutimes = stub_check_vnode_setutimes, - .mpo_check_vnode_stat = stub_check_vnode_stat, - .mpo_check_vnode_unlink = stub_check_vnode_unlink, - .mpo_check_vnode_write = stub_check_vnode_write, + .mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = stub_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = stub_sysvsem_cleanup, + .mpo_sysvshm_cleanup = stub_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = stub_bpfdesc_check_receive, + .mpo_cred_check_relabel = stub_cred_check_relabel, + .mpo_cred_check_visible = stub_cred_check_visible, + .mpo_ifnet_check_relabel = stub_ifnet_check_relabel, + .mpo_ifnet_check_transmit = stub_ifnet_check_transmit, + .mpo_inpcb_check_deliver = stub_inpcb_check_deliver, + .mpo_sysvmsq_check_msgmsq = stub_sysvmsq_check_msgmsq, + .mpo_sysvmsq_check_msgrcv = stub_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = stub_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = stub_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = stub_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = stub_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = stub_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = stub_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = stub_sysvsem_check_semget, + .mpo_sysvsem_check_semop = stub_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = stub_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = stub_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmdt = stub_sysvshm_check_shmdt, + .mpo_sysvshm_check_shmget = stub_sysvshm_check_shmget, + .mpo_kenv_check_dump = stub_kenv_check_dump, + .mpo_kenv_check_get = stub_kenv_check_get, + .mpo_kenv_check_set = stub_kenv_check_set, + .mpo_kenv_check_unset = stub_kenv_check_unset, + .mpo_kld_check_load = stub_kld_check_load, + .mpo_kld_check_stat = stub_kld_check_stat, + .mpo_mount_check_stat = stub_mount_check_stat, + .mpo_pipe_check_ioctl = stub_pipe_check_ioctl, + .mpo_pipe_check_poll = stub_pipe_check_poll, + .mpo_pipe_check_read = stub_pipe_check_read, + .mpo_pipe_check_relabel = stub_pipe_check_relabel, + .mpo_pipe_check_stat = stub_pipe_check_stat, + .mpo_pipe_check_write = stub_pipe_check_write, + .mpo_posixsem_check_destroy = stub_posixsem_check_destroy, + .mpo_posixsem_check_getvalue = stub_posixsem_check_getvalue, + .mpo_posixsem_check_open = stub_posixsem_check_open, + .mpo_posixsem_check_post = stub_posixsem_check_post, + .mpo_posixsem_check_unlink = stub_posixsem_check_unlink, + .mpo_posixsem_check_wait = stub_posixsem_check_wait, + .mpo_proc_check_debug = stub_proc_check_debug, + .mpo_proc_check_sched = stub_proc_check_sched, + .mpo_proc_check_setaudit = stub_proc_check_setaudit, + .mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr, + .mpo_proc_check_setauid = stub_proc_check_setauid, + .mpo_proc_check_setuid = stub_proc_check_setuid, + .mpo_proc_check_seteuid = stub_proc_check_seteuid, + .mpo_proc_check_setgid = stub_proc_check_setgid, + .mpo_proc_check_setegid = stub_proc_check_setegid, + .mpo_proc_check_setgroups = stub_proc_check_setgroups, + .mpo_proc_check_setreuid = stub_proc_check_setreuid, + .mpo_proc_check_setregid = stub_proc_check_setregid, + .mpo_proc_check_setresuid = stub_proc_check_setresuid, + .mpo_proc_check_setresgid = stub_proc_check_setresgid, + .mpo_proc_check_signal = stub_proc_check_signal, + .mpo_proc_check_wait = stub_proc_check_wait, + .mpo_socket_check_accept = stub_socket_check_accept, + .mpo_socket_check_bind = stub_socket_check_bind, + .mpo_socket_check_connect = stub_socket_check_connect, + .mpo_socket_check_create = stub_socket_check_create, + .mpo_socket_check_deliver = stub_socket_check_deliver, + .mpo_socket_check_listen = stub_socket_check_listen, + .mpo_socket_check_poll = stub_socket_check_poll, + .mpo_socket_check_receive = stub_socket_check_receive, + .mpo_socket_check_relabel = stub_socket_check_relabel, + .mpo_socket_check_send = stub_socket_check_send, + .mpo_socket_check_stat = stub_socket_check_stat, + .mpo_socket_check_visible = stub_socket_check_visible, + .mpo_system_check_acct = stub_system_check_acct, + .mpo_system_check_audit = stub_system_check_audit, + .mpo_system_check_auditctl = stub_system_check_auditctl, + .mpo_system_check_auditon = stub_system_check_auditon, + .mpo_system_check_reboot = stub_system_check_reboot, + .mpo_system_check_swapoff = stub_system_check_swapoff, + .mpo_system_check_swapon = stub_system_check_swapon, + .mpo_system_check_sysctl = stub_system_check_sysctl, + .mpo_vnode_check_access = stub_vnode_check_access, + .mpo_vnode_check_chdir = stub_vnode_check_chdir, + .mpo_vnode_check_chroot = stub_vnode_check_chroot, + .mpo_vnode_check_create = stub_vnode_check_create, + .mpo_vnode_check_deleteacl = stub_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = stub_vnode_check_deleteextattr, + .mpo_vnode_check_exec = stub_vnode_check_exec, + .mpo_vnode_check_getacl = stub_vnode_check_getacl, + .mpo_vnode_check_getextattr = stub_vnode_check_getextattr, + .mpo_vnode_check_link = stub_vnode_check_link, + .mpo_vnode_check_listextattr = stub_vnode_check_listextattr, + .mpo_vnode_check_lookup = stub_vnode_check_lookup, + .mpo_vnode_check_mmap = stub_vnode_check_mmap, + .mpo_vnode_check_mmap_downgrade = stub_vnode_check_mmap_downgrade, + .mpo_vnode_check_mprotect = stub_vnode_check_mprotect, + .mpo_vnode_check_open = stub_vnode_check_open, + .mpo_vnode_check_poll = stub_vnode_check_poll, + .mpo_vnode_check_read = stub_vnode_check_read, + .mpo_vnode_check_readdir = stub_vnode_check_readdir, + .mpo_vnode_check_readlink = stub_vnode_check_readlink, + .mpo_vnode_check_relabel = stub_vnode_check_relabel, + .mpo_vnode_check_rename_from = stub_vnode_check_rename_from, + .mpo_vnode_check_rename_to = stub_vnode_check_rename_to, + .mpo_vnode_check_revoke = stub_vnode_check_revoke, + .mpo_vnode_check_setacl = stub_vnode_check_setacl, + .mpo_vnode_check_setextattr = stub_vnode_check_setextattr, + .mpo_vnode_check_setflags = stub_vnode_check_setflags, + .mpo_vnode_check_setmode = stub_vnode_check_setmode, + .mpo_vnode_check_setowner = stub_vnode_check_setowner, + .mpo_vnode_check_setutimes = stub_vnode_check_setutimes, + .mpo_vnode_check_stat = stub_vnode_check_stat, + .mpo_vnode_check_unlink = stub_vnode_check_unlink, + .mpo_vnode_check_write = stub_vnode_check_write, .mpo_priv_check = stub_priv_check, .mpo_priv_grant = stub_priv_grant, .mpo_init_syncache_label = stub_init_label_waitcheck, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 4947cdc..c7eaaad 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -146,287 +150,287 @@ SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, /* * Label operations. */ -COUNTER_DECL(init_bpfdesc_label); +COUNTER_DECL(bpfdesc_init_label); static void -mac_test_init_bpfdesc_label(struct label *label) +mac_test_bpfdesc_init_label(struct label *label) { LABEL_INIT(label, MAGIC_BPF); - COUNTER_INC(init_bpfdesc_label); + COUNTER_INC(bpfdesc_init_label); } -COUNTER_DECL(init_cred_label); +COUNTER_DECL(cred_init_label); static void -mac_test_init_cred_label(struct label *label) +mac_test_cred_init_label(struct label *label) { LABEL_INIT(label, MAGIC_CRED); - COUNTER_INC(init_cred_label); + COUNTER_INC(cred_init_label); } -COUNTER_DECL(init_devfs_label); +COUNTER_DECL(devfs_init_label); static void -mac_test_init_devfs_label(struct label *label) +mac_test_devfs_init_label(struct label *label) { LABEL_INIT(label, MAGIC_DEVFS); - COUNTER_INC(init_devfs_label); + COUNTER_INC(devfs_init_label); } -COUNTER_DECL(init_ifnet_label); +COUNTER_DECL(ifnet_init_label); static void -mac_test_init_ifnet_label(struct label *label) +mac_test_ifnet_init_label(struct label *label) { LABEL_INIT(label, MAGIC_IFNET); - COUNTER_INC(init_ifnet_label); + COUNTER_INC(ifnet_init_label); } -COUNTER_DECL(init_inpcb_label); +COUNTER_DECL(inpcb_init_label); static int -mac_test_init_inpcb_label(struct label *label, int flag) +mac_test_inpcb_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_inpcb_label() at %s:%d", __FILE__, + "mac_test_inpcb_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_INPCB); - COUNTER_INC(init_inpcb_label); + COUNTER_INC(inpcb_init_label); return (0); } -COUNTER_DECL(init_sysv_msg_label); +COUNTER_DECL(sysvmsg_init_label); static void -mac_test_init_sysv_msgmsg_label(struct label *label) +mac_test_sysvmsg_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_MSG); - COUNTER_INC(init_sysv_msg_label); + COUNTER_INC(sysvmsg_init_label); } -COUNTER_DECL(init_sysv_msq_label); +COUNTER_DECL(sysvmsq_init_label); static void -mac_test_init_sysv_msgqueue_label(struct label *label) +mac_test_sysvmsq_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_MSQ); - COUNTER_INC(init_sysv_msq_label); + COUNTER_INC(sysvmsq_init_label); } -COUNTER_DECL(init_sysv_sem_label); +COUNTER_DECL(sysvsem_init_label); static void -mac_test_init_sysv_sem_label(struct label *label) +mac_test_sysvsem_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_SEM); - COUNTER_INC(init_sysv_sem_label); + COUNTER_INC(sysvsem_init_label); } -COUNTER_DECL(init_sysv_shm_label); +COUNTER_DECL(sysvshm_init_label); static void -mac_test_init_sysv_shm_label(struct label *label) +mac_test_sysvshm_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_SHM); - COUNTER_INC(init_sysv_shm_label); + COUNTER_INC(sysvshm_init_label); } -COUNTER_DECL(init_ipq_label); +COUNTER_DECL(ipq_init_label); static int -mac_test_init_ipq_label(struct label *label, int flag) +mac_test_ipq_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_ipq_label() at %s:%d", __FILE__, + "mac_test_ipq_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_IPQ); - COUNTER_INC(init_ipq_label); + COUNTER_INC(ipq_init_label); return (0); } -COUNTER_DECL(init_mbuf_label); +COUNTER_DECL(mbuf_init_label); static int -mac_test_init_mbuf_label(struct label *label, int flag) +mac_test_mbuf_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_mbuf_label() at %s:%d", __FILE__, + "mac_test_mbuf_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_MBUF); - COUNTER_INC(init_mbuf_label); + COUNTER_INC(mbuf_init_label); return (0); } -COUNTER_DECL(init_mount_label); +COUNTER_DECL(mount_init_label); static void -mac_test_init_mount_label(struct label *label) +mac_test_mount_init_label(struct label *label) { LABEL_INIT(label, MAGIC_MOUNT); - COUNTER_INC(init_mount_label); + COUNTER_INC(mount_init_label); } -COUNTER_DECL(init_socket_label); +COUNTER_DECL(socket_init_label); static int -mac_test_init_socket_label(struct label *label, int flag) +mac_test_socket_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_socket_label() at %s:%d", __FILE__, + "mac_test_socket_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_SOCKET); - COUNTER_INC(init_socket_label); + COUNTER_INC(socket_init_label); return (0); } -COUNTER_DECL(init_socket_peer_label); +COUNTER_DECL(socketpeer_init_label); static int -mac_test_init_socket_peer_label(struct label *label, int flag) +mac_test_socketpeer_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_socket_peer_label() at %s:%d", __FILE__, + "mac_test_socketpeer_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_SOCKET); - COUNTER_INC(init_socket_peer_label); + COUNTER_INC(socketpeer_init_label); return (0); } -COUNTER_DECL(init_pipe_label); +COUNTER_DECL(pipe_init_label); static void -mac_test_init_pipe_label(struct label *label) +mac_test_pipe_init_label(struct label *label) { LABEL_INIT(label, MAGIC_PIPE); - COUNTER_INC(init_pipe_label); + COUNTER_INC(pipe_init_label); } -COUNTER_DECL(init_posix_sem_label); +COUNTER_DECL(posixsem_init_label); static void -mac_test_init_posix_sem_label(struct label *label) +mac_test_posixsem_init_label(struct label *label) { LABEL_INIT(label, MAGIC_POSIX_SEM); - COUNTER_INC(init_posix_sem_label); + COUNTER_INC(posixsem_init_label); } -COUNTER_DECL(init_proc_label); +COUNTER_DECL(proc_init_label); static void -mac_test_init_proc_label(struct label *label) +mac_test_proc_init_label(struct label *label) { LABEL_INIT(label, MAGIC_PROC); - COUNTER_INC(init_proc_label); + COUNTER_INC(proc_init_label); } -COUNTER_DECL(init_vnode_label); +COUNTER_DECL(vnode_init_label); static void -mac_test_init_vnode_label(struct label *label) +mac_test_vnode_init_label(struct label *label) { LABEL_INIT(label, MAGIC_VNODE); - COUNTER_INC(init_vnode_label); + COUNTER_INC(vnode_init_label); } -COUNTER_DECL(destroy_bpfdesc_label); +COUNTER_DECL(bpfdesc_destroy_label); static void -mac_test_destroy_bpfdesc_label(struct label *label) +mac_test_bpfdesc_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_BPF); - COUNTER_INC(destroy_bpfdesc_label); + COUNTER_INC(bpfdesc_destroy_label); } -COUNTER_DECL(destroy_cred_label); +COUNTER_DECL(cred_destroy_label); static void -mac_test_destroy_cred_label(struct label *label) +mac_test_cred_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_CRED); - COUNTER_INC(destroy_cred_label); + COUNTER_INC(cred_destroy_label); } -COUNTER_DECL(destroy_devfs_label); +COUNTER_DECL(devfs_destroy_label); static void -mac_test_destroy_devfs_label(struct label *label) +mac_test_devfs_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_DEVFS); - COUNTER_INC(destroy_devfs_label); + COUNTER_INC(devfs_destroy_label); } -COUNTER_DECL(destroy_ifnet_label); +COUNTER_DECL(ifnet_destroy_label); static void -mac_test_destroy_ifnet_label(struct label *label) +mac_test_ifnet_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_IFNET); - COUNTER_INC(destroy_ifnet_label); + COUNTER_INC(ifnet_destroy_label); } -COUNTER_DECL(destroy_inpcb_label); +COUNTER_DECL(inpcb_destroy_label); static void -mac_test_destroy_inpcb_label(struct label *label) +mac_test_inpcb_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_INPCB); - COUNTER_INC(destroy_inpcb_label); + COUNTER_INC(inpcb_destroy_label); } -COUNTER_DECL(destroy_sysv_msg_label); +COUNTER_DECL(sysvmsg_destroy_label); static void -mac_test_destroy_sysv_msgmsg_label(struct label *label) +mac_test_sysvmsg_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_MSG); - COUNTER_INC(destroy_sysv_msg_label); + COUNTER_INC(sysvmsg_destroy_label); } -COUNTER_DECL(destroy_sysv_msq_label); +COUNTER_DECL(sysvmsq_destroy_label); static void -mac_test_destroy_sysv_msgqueue_label(struct label *label) +mac_test_sysvmsq_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_MSQ); - COUNTER_INC(destroy_sysv_msq_label); + COUNTER_INC(sysvmsq_destroy_label); } -COUNTER_DECL(destroy_sysv_sem_label); +COUNTER_DECL(sysvsem_destroy_label); static void -mac_test_destroy_sysv_sem_label(struct label *label) +mac_test_sysvsem_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_SEM); - COUNTER_INC(destroy_sysv_sem_label); + COUNTER_INC(sysvsem_destroy_label); } -COUNTER_DECL(destroy_sysv_shm_label); +COUNTER_DECL(sysvshm_destroy_label); static void -mac_test_destroy_sysv_shm_label(struct label *label) +mac_test_sysvshm_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_SHM); - COUNTER_INC(destroy_sysv_shm_label); + COUNTER_INC(sysvshm_destroy_label); } -COUNTER_DECL(destroy_ipq_label); +COUNTER_DECL(ipq_destroy_label); static void -mac_test_destroy_ipq_label(struct label *label) +mac_test_ipq_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_IPQ); - COUNTER_INC(destroy_ipq_label); + COUNTER_INC(ipq_destroy_label); } -COUNTER_DECL(destroy_mbuf_label); +COUNTER_DECL(mbuf_destroy_label); static void -mac_test_destroy_mbuf_label(struct label *label) +mac_test_mbuf_destroy_label(struct label *label) { /* @@ -438,130 +442,130 @@ mac_test_destroy_mbuf_label(struct label *label) return; LABEL_DESTROY(label, MAGIC_MBUF); - COUNTER_INC(destroy_mbuf_label); + COUNTER_INC(mbuf_destroy_label); } -COUNTER_DECL(destroy_mount_label); +COUNTER_DECL(mount_destroy_label); static void -mac_test_destroy_mount_label(struct label *label) +mac_test_mount_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_MOUNT); - COUNTER_INC(destroy_mount_label); + COUNTER_INC(mount_destroy_label); } -COUNTER_DECL(destroy_socket_label); +COUNTER_DECL(socket_destroy_label); static void -mac_test_destroy_socket_label(struct label *label) +mac_test_socket_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SOCKET); - COUNTER_INC(destroy_socket_label); + COUNTER_INC(socket_destroy_label); } -COUNTER_DECL(destroy_socket_peer_label); +COUNTER_DECL(socketpeer_destroy_label); static void -mac_test_destroy_socket_peer_label(struct label *label) +mac_test_socketpeer_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SOCKET); - COUNTER_INC(destroy_socket_peer_label); + COUNTER_INC(socketpeer_destroy_label); } -COUNTER_DECL(destroy_pipe_label); +COUNTER_DECL(pipe_destroy_label); static void -mac_test_destroy_pipe_label(struct label *label) +mac_test_pipe_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_PIPE); - COUNTER_INC(destroy_pipe_label); + COUNTER_INC(pipe_destroy_label); } -COUNTER_DECL(destroy_posix_sem_label); +COUNTER_DECL(posixsem_destroy_label); static void -mac_test_destroy_posix_sem_label(struct label *label) +mac_test_posixsem_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_POSIX_SEM); - COUNTER_INC(destroy_posix_sem_label); + COUNTER_INC(posixsem_destroy_label); } -COUNTER_DECL(destroy_proc_label); +COUNTER_DECL(proc_destroy_label); static void -mac_test_destroy_proc_label(struct label *label) +mac_test_proc_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_PROC); - COUNTER_INC(destroy_proc_label); + COUNTER_INC(proc_destroy_label); } -COUNTER_DECL(destroy_vnode_label); +COUNTER_DECL(vnode_destroy_label); static void -mac_test_destroy_vnode_label(struct label *label) +mac_test_vnode_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_VNODE); - COUNTER_INC(destroy_vnode_label); + COUNTER_INC(vnode_destroy_label); } -COUNTER_DECL(copy_cred_label); +COUNTER_DECL(cred_copy_label); static void -mac_test_copy_cred_label(struct label *src, struct label *dest) +mac_test_cred_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_CRED); LABEL_CHECK(dest, MAGIC_CRED); - COUNTER_INC(copy_cred_label); + COUNTER_INC(cred_copy_label); } -COUNTER_DECL(copy_ifnet_label); +COUNTER_DECL(ifnet_copy_label); static void -mac_test_copy_ifnet_label(struct label *src, struct label *dest) +mac_test_ifnet_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_IFNET); LABEL_CHECK(dest, MAGIC_IFNET); - COUNTER_INC(copy_ifnet_label); + COUNTER_INC(ifnet_copy_label); } -COUNTER_DECL(copy_mbuf_label); +COUNTER_DECL(mbuf_copy_label); static void -mac_test_copy_mbuf_label(struct label *src, struct label *dest) +mac_test_mbuf_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_MBUF); LABEL_CHECK(dest, MAGIC_MBUF); - COUNTER_INC(copy_mbuf_label); + COUNTER_INC(mbuf_copy_label); } -COUNTER_DECL(copy_pipe_label); +COUNTER_DECL(pipe_copy_label); static void -mac_test_copy_pipe_label(struct label *src, struct label *dest) +mac_test_pipe_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_PIPE); LABEL_CHECK(dest, MAGIC_PIPE); - COUNTER_INC(copy_pipe_label); + COUNTER_INC(pipe_copy_label); } -COUNTER_DECL(copy_socket_label); +COUNTER_DECL(socket_copy_label); static void -mac_test_copy_socket_label(struct label *src, struct label *dest) +mac_test_socket_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_SOCKET); LABEL_CHECK(dest, MAGIC_SOCKET); - COUNTER_INC(copy_socket_label); + COUNTER_INC(socket_copy_label); } -COUNTER_DECL(copy_vnode_label); +COUNTER_DECL(vnode_copy_label); static void -mac_test_copy_vnode_label(struct label *src, struct label *dest) +mac_test_vnode_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_VNODE); LABEL_CHECK(dest, MAGIC_VNODE); - COUNTER_INC(copy_vnode_label); + COUNTER_INC(vnode_copy_label); } COUNTER_DECL(externalize_label); @@ -592,9 +596,9 @@ mac_test_internalize_label(struct label *label, char *element_name, * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ -COUNTER_DECL(associate_vnode_devfs); +COUNTER_DECL(devfs_vnode_associate); static void -mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_test_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -602,58 +606,58 @@ mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(delabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_devfs); + COUNTER_INC(devfs_vnode_associate); } -COUNTER_DECL(associate_vnode_extattr); +COUNTER_DECL(vnode_associate_extattr); static int -mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_test_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_extattr); + COUNTER_INC(vnode_associate_extattr); return (0); } -COUNTER_DECL(associate_vnode_singlelabel); +COUNTER_DECL(vnode_associate_singlelabel); static void -mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, +mac_test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_singlelabel); + COUNTER_INC(vnode_associate_singlelabel); } -COUNTER_DECL(create_devfs_device); +COUNTER_DECL(devfs_create_device); static void -mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_test_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { if (cred != NULL) LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_device); + COUNTER_INC(devfs_create_device); } -COUNTER_DECL(create_devfs_directory); +COUNTER_DECL(devfs_create_directory); static void -mac_test_create_devfs_directory(struct mount *mp, char *dirname, +mac_test_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_directory); + COUNTER_INC(devfs_create_directory); } -COUNTER_DECL(create_devfs_symlink); +COUNTER_DECL(devfs_create_symlink); static void -mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_test_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -661,12 +665,12 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ddlabel, MAGIC_DEVFS); LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_symlink); + COUNTER_INC(devfs_create_symlink); } -COUNTER_DECL(create_vnode_extattr); +COUNTER_DECL(vnode_create_extattr); static int -mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_test_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -674,281 +678,281 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(create_vnode_extattr); + COUNTER_INC(vnode_create_extattr); return (0); } -COUNTER_DECL(create_mount); +COUNTER_DECL(mount_create); static void -mac_test_create_mount(struct ucred *cred, struct mount *mp, +mac_test_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); - COUNTER_INC(create_mount); + COUNTER_INC(mount_create); } -COUNTER_DECL(relabel_vnode); +COUNTER_DECL(vnode_relabel); static void -mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_test_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(label, MAGIC_VNODE); - COUNTER_INC(relabel_vnode); + COUNTER_INC(vnode_relabel); } -COUNTER_DECL(setlabel_vnode_extattr); +COUNTER_DECL(vnode_setlabel_extattr); static int -mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(intlabel, MAGIC_VNODE); - COUNTER_INC(setlabel_vnode_extattr); + COUNTER_INC(vnode_setlabel_extattr); return (0); } -COUNTER_DECL(update_devfs); +COUNTER_DECL(devfs_update); static void -mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent, +mac_test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(direntlabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(update_devfs); + COUNTER_INC(devfs_update); } /* * Labeling event operations: IPC object. */ -COUNTER_DECL(create_mbuf_from_socket); +COUNTER_DECL(socket_create_mbuf); static void -mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, +mac_test_socket_create_mbuf(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(socketlabel, MAGIC_SOCKET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_socket); + COUNTER_INC(socket_create_mbuf); } -COUNTER_DECL(create_socket); +COUNTER_DECL(socket_create); static void -mac_test_create_socket(struct ucred *cred, struct socket *socket, +mac_test_socket_create(struct ucred *cred, struct socket *socket, struct label *socketlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(socketlabel, MAGIC_SOCKET); - COUNTER_INC(create_socket); + COUNTER_INC(socket_create); } -COUNTER_DECL(create_pipe); +COUNTER_DECL(pipe_create); static void -mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(create_pipe); + COUNTER_INC(pipe_create); } -COUNTER_DECL(create_posix_sem); +COUNTER_DECL(posixsem_create); static void -mac_test_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_test_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); - COUNTER_INC(create_posix_sem); + COUNTER_INC(posixsem_create); } -COUNTER_DECL(create_socket_from_socket); +COUNTER_DECL(socket_newconn); static void -mac_test_create_socket_from_socket(struct socket *oldsocket, +mac_test_socket_newconn(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketlabel, MAGIC_SOCKET); - COUNTER_INC(create_socket_from_socket); + COUNTER_INC(socket_newconn); } -COUNTER_DECL(relabel_socket); +COUNTER_DECL(socket_relabel); static void -mac_test_relabel_socket(struct ucred *cred, struct socket *socket, +mac_test_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_SOCKET); - COUNTER_INC(relabel_socket); + COUNTER_INC(socket_relabel); } -COUNTER_DECL(relabel_pipe); +COUNTER_DECL(pipe_relabel); static void -mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); LABEL_CHECK(newlabel, MAGIC_PIPE); - COUNTER_INC(relabel_pipe); + COUNTER_INC(pipe_relabel); } -COUNTER_DECL(set_socket_peer_from_mbuf); +COUNTER_DECL(socketpeer_set_from_mbuf); static void -mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, +mac_test_socketpeer_set_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { LABEL_CHECK(mbuflabel, MAGIC_MBUF); LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); - COUNTER_INC(set_socket_peer_from_mbuf); + COUNTER_INC(socketpeer_set_from_mbuf); } /* * Labeling event operations: network objects. */ -COUNTER_DECL(set_socket_peer_from_socket); +COUNTER_DECL(socketpeer_set_from_socket); static void -mac_test_set_socket_peer_from_socket(struct socket *oldsocket, +mac_test_socketpeer_set_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET); - COUNTER_INC(set_socket_peer_from_socket); + COUNTER_INC(socketpeer_set_from_socket); } -COUNTER_DECL(create_bpfdesc); +COUNTER_DECL(bpfdesc_create); static void -mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, +mac_test_bpfdesc_create(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(bpflabel, MAGIC_BPF); - COUNTER_INC(create_bpfdesc); + COUNTER_INC(bpfdesc_create); } -COUNTER_DECL(create_datagram_from_ipq); +COUNTER_DECL(ipq_reassemble); static void -mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_test_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { LABEL_CHECK(ipqlabel, MAGIC_IPQ); LABEL_CHECK(datagramlabel, MAGIC_MBUF); - COUNTER_INC(create_datagram_from_ipq); + COUNTER_INC(ipq_reassemble); } -COUNTER_DECL(create_fragment); +COUNTER_DECL(netinet_fragment); static void -mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, +mac_test_netinet_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { LABEL_CHECK(datagramlabel, MAGIC_MBUF); LABEL_CHECK(fragmentlabel, MAGIC_MBUF); - COUNTER_INC(create_fragment); + COUNTER_INC(netinet_fragment); } -COUNTER_DECL(create_ifnet); +COUNTER_DECL(ifnet_create); static void -mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) +mac_test_ifnet_create(struct ifnet *ifnet, struct label *ifnetlabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); - COUNTER_INC(create_ifnet); + COUNTER_INC(ifnet_create); } -COUNTER_DECL(create_inpcb_from_socket); +COUNTER_DECL(inpcb_create); static void -mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_test_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(inplabel, MAGIC_INPCB); - COUNTER_INC(create_inpcb_from_socket); + COUNTER_INC(inpcb_create); } -COUNTER_DECL(create_sysv_msgmsg); +COUNTER_DECL(sysvmsg_create); static void -mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(create_sysv_msgmsg); + COUNTER_INC(sysvmsg_create); } -COUNTER_DECL(create_sysv_msgqueue); +COUNTER_DECL(sysvmsq_create); static void -mac_test_create_sysv_msgqueue(struct ucred *cred, +mac_test_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(create_sysv_msgqueue); + COUNTER_INC(sysvmsq_create); } -COUNTER_DECL(create_sysv_sem); +COUNTER_DECL(sysvsem_create); static void -mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); - COUNTER_INC(create_sysv_sem); + COUNTER_INC(sysvsem_create); } -COUNTER_DECL(create_sysv_shm); +COUNTER_DECL(sysvshm_create); static void -mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); - COUNTER_INC(create_sysv_shm); + COUNTER_INC(sysvshm_create); } -COUNTER_DECL(create_ipq); +COUNTER_DECL(ipq_create); static void -mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(create_ipq); + COUNTER_INC(ipq_create); } -COUNTER_DECL(create_mbuf_from_inpcb); +COUNTER_DECL(inpcb_create_mbuf); static void -mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(inplabel, MAGIC_INPCB); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_inpcb); + COUNTER_INC(inpcb_create_mbuf); } COUNTER_DECL(create_mbuf_linklayer); @@ -962,31 +966,31 @@ mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, COUNTER_INC(create_mbuf_linklayer); } -COUNTER_DECL(create_mbuf_from_bpfdesc); +COUNTER_DECL(bpfdesc_create_mbuf); static void -mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, +mac_test_bpfdesc_create_mbuf(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { LABEL_CHECK(bpflabel, MAGIC_BPF); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_bpfdesc); + COUNTER_INC(bpfdesc_create_mbuf); } -COUNTER_DECL(create_mbuf_from_ifnet); +COUNTER_DECL(ifnet_create_mbuf); static void -mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, +mac_test_ifnet_create_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_ifnet); + COUNTER_INC(ifnet_create_mbuf); } -COUNTER_DECL(create_mbuf_multicast_encap); +COUNTER_DECL(mbuf_create_multicast_encap); static void -mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, +mac_test_mbuf_create_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { @@ -994,73 +998,73 @@ mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newmbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_multicast_encap); + COUNTER_INC(mbuf_create_multicast_encap); } -COUNTER_DECL(create_mbuf_netlayer); +COUNTER_DECL(mbuf_create_netlayer); static void -mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, +mac_test_mbuf_create_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); LABEL_CHECK(newmbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_netlayer); + COUNTER_INC(mbuf_create_netlayer); } -COUNTER_DECL(fragment_match); +COUNTER_DECL(ipq_match); static int -mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(fragment_match); + COUNTER_INC(ipq_match); return (1); } -COUNTER_DECL(reflect_mbuf_icmp); +COUNTER_DECL(netinet_icmp_reply); static void -mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) +mac_test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) { LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(reflect_mbuf_icmp); + COUNTER_INC(netinet_icmp_reply); } -COUNTER_DECL(reflect_mbuf_tcp); +COUNTER_DECL(netinet_tcp_reply); static void -mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) +mac_test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) { LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(reflect_mbuf_tcp); + COUNTER_INC(netinet_tcp_reply); } -COUNTER_DECL(relabel_ifnet); +COUNTER_DECL(ifnet_relabel); static void -mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, +mac_test_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newlabel, MAGIC_IFNET); - COUNTER_INC(relabel_ifnet); + COUNTER_INC(ifnet_relabel); } -COUNTER_DECL(update_ipq); +COUNTER_DECL(ipq_update); static void -mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_update(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(update_ipq); + COUNTER_INC(ipq_update); } COUNTER_DECL(inpcb_sosetlabel); @@ -1077,9 +1081,9 @@ mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -COUNTER_DECL(execve_transition); +COUNTER_DECL(vnode_execve_transition); static void -mac_test_execve_transition(struct ucred *old, struct ucred *new, +mac_test_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *filelabel, struct label *interpvplabel, struct image_params *imgp, struct label *execlabel) @@ -1090,12 +1094,12 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new, LABEL_CHECK(filelabel, MAGIC_VNODE); LABEL_CHECK(interpvplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(execve_transition); + COUNTER_INC(vnode_execve_transition); } -COUNTER_DECL(execve_will_transition); +COUNTER_DECL(vnode_execve_will_transition); static int -mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *filelabel, struct label *interpvplabel, struct image_params *imgp, struct label *execlabel) { @@ -1104,37 +1108,37 @@ mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, LABEL_CHECK(filelabel, MAGIC_VNODE); LABEL_CHECK(interpvplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(execve_will_transition); + COUNTER_INC(vnode_execve_will_transition); return (0); } -COUNTER_DECL(create_proc0); +COUNTER_DECL(proc_create_swapper); static void -mac_test_create_proc0(struct ucred *cred) +mac_test_proc_create_swapper(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(create_proc0); + COUNTER_INC(proc_create_swapper); } -COUNTER_DECL(create_proc1); +COUNTER_DECL(proc_create_init); static void -mac_test_create_proc1(struct ucred *cred) +mac_test_proc_create_init(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(create_proc1); + COUNTER_INC(proc_create_init); } -COUNTER_DECL(relabel_cred); +COUNTER_DECL(cred_relabel); static void -mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_test_cred_relabel(struct ucred *cred, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_CRED); - COUNTER_INC(relabel_cred); + COUNTER_INC(cred_relabel); } COUNTER_DECL(thread_userret); @@ -1148,125 +1152,125 @@ mac_test_thread_userret(struct thread *td) /* * Label cleanup/flush operations */ -COUNTER_DECL(cleanup_sysv_msgmsg); +COUNTER_DECL(sysvmsg_cleanup); static void -mac_test_cleanup_sysv_msgmsg(struct label *msglabel) +mac_test_sysvmsg_cleanup(struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); - COUNTER_INC(cleanup_sysv_msgmsg); + COUNTER_INC(sysvmsg_cleanup); } -COUNTER_DECL(cleanup_sysv_msgqueue); +COUNTER_DECL(sysvmsq_cleanup); static void -mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_test_sysvmsq_cleanup(struct label *msqlabel) { LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(cleanup_sysv_msgqueue); + COUNTER_INC(sysvmsq_cleanup); } -COUNTER_DECL(cleanup_sysv_sem); +COUNTER_DECL(sysvsem_cleanup); static void -mac_test_cleanup_sysv_sem(struct label *semalabel) +mac_test_sysvsem_cleanup(struct label *semalabel) { LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); - COUNTER_INC(cleanup_sysv_sem); + COUNTER_INC(sysvsem_cleanup); } -COUNTER_DECL(cleanup_sysv_shm); +COUNTER_DECL(sysvshm_cleanup); static void -mac_test_cleanup_sysv_shm(struct label *shmlabel) +mac_test_sysvshm_cleanup(struct label *shmlabel) { LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); - COUNTER_INC(cleanup_sysv_shm); + COUNTER_INC(sysvshm_cleanup); } /* * Access control checks. */ -COUNTER_DECL(check_bpfdesc_receive); +COUNTER_DECL(bpfdesc_check_receive); static int -mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, +mac_test_bpfdesc_check_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { LABEL_CHECK(bpflabel, MAGIC_BPF); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); - COUNTER_INC(check_bpfdesc_receive); + COUNTER_INC(bpfdesc_check_receive); return (0); } -COUNTER_DECL(check_cred_relabel); +COUNTER_DECL(cred_check_relabel); static int -mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_test_cred_check_relabel(struct ucred *cred, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_CRED); - COUNTER_INC(check_cred_relabel); + COUNTER_INC(cred_check_relabel); return (0); } -COUNTER_DECL(check_cred_visible); +COUNTER_DECL(cred_check_visible); static int -mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_test_cred_check_visible(struct ucred *u1, struct ucred *u2) { LABEL_CHECK(u1->cr_label, MAGIC_CRED); LABEL_CHECK(u2->cr_label, MAGIC_CRED); - COUNTER_INC(check_cred_visible); + COUNTER_INC(cred_check_visible); return (0); } -COUNTER_DECL(check_ifnet_relabel); +COUNTER_DECL(ifnet_check_relabel); static int -mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, +mac_test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newlabel, MAGIC_IFNET); - COUNTER_INC(check_ifnet_relabel); + COUNTER_INC(ifnet_check_relabel); return (0); } -COUNTER_DECL(check_ifnet_transmit); +COUNTER_DECL(ifnet_check_transmit); static int -mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, +mac_test_ifnet_check_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(check_ifnet_transmit); + COUNTER_INC(ifnet_check_transmit); return (0); } -COUNTER_DECL(check_inpcb_deliver); +COUNTER_DECL(inpcb_check_deliver); static int -mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(inplabel, MAGIC_INPCB); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(check_inpcb_deliver); + COUNTER_INC(inpcb_check_deliver); return (0); } -COUNTER_DECL(check_sysv_msgmsq); +COUNTER_DECL(sysvmsq_check_msgmsq); static int -mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -1274,859 +1278,859 @@ mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgmsq); + COUNTER_INC(sysvmsq_check_msgmsq); return (0); } -COUNTER_DECL(check_sysv_msgrcv); +COUNTER_DECL(sysvmsq_check_msgrcv); static int -mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgrcv); + COUNTER_INC(sysvmsq_check_msgrcv); return (0); } -COUNTER_DECL(check_sysv_msgrmid); +COUNTER_DECL(sysvmsq_check_msgrmid); static int -mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgrmid); + COUNTER_INC(sysvmsq_check_msgrmid); return (0); } -COUNTER_DECL(check_sysv_msqget); +COUNTER_DECL(sysvmsq_check_msqget); static int -mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqget); + COUNTER_INC(sysvmsq_check_msqget); return (0); } -COUNTER_DECL(check_sysv_msqsnd); +COUNTER_DECL(sysvmsq_check_msqsnd); static int -mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqsnd); + COUNTER_INC(sysvmsq_check_msqsnd); return (0); } -COUNTER_DECL(check_sysv_msqrcv); +COUNTER_DECL(sysvmsq_check_msqrcv); static int -mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqrcv); + COUNTER_INC(sysvmsq_check_msqrcv); return (0); } -COUNTER_DECL(check_sysv_msqctl); +COUNTER_DECL(sysvmsq_check_msqctl); static int -mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_test_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqctl); + COUNTER_INC(sysvmsq_check_msqctl); return (0); } -COUNTER_DECL(check_sysv_semctl); +COUNTER_DECL(sysvsem_check_semctl); static int -mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_test_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semctl); + COUNTER_INC(sysvsem_check_semctl); return (0); } -COUNTER_DECL(check_sysv_semget); +COUNTER_DECL(sysvsem_check_semget); static int -mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_test_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semget); + COUNTER_INC(sysvsem_check_semget); return (0); } -COUNTER_DECL(check_sysv_semop); +COUNTER_DECL(sysvsem_check_semop); static int -mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_test_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semop); + COUNTER_INC(sysvsem_check_semop); return (0); } -COUNTER_DECL(check_sysv_shmat); +COUNTER_DECL(sysvshm_check_shmat); static int -mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_test_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmat); + COUNTER_INC(sysvshm_check_shmat); return (0); } -COUNTER_DECL(check_sysv_shmctl); +COUNTER_DECL(sysvshm_check_shmctl); static int -mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_test_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmctl); + COUNTER_INC(sysvshm_check_shmctl); return (0); } -COUNTER_DECL(check_sysv_shmdt); +COUNTER_DECL(sysvshm_check_shmdt); static int -mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel) +mac_test_sysvshm_check_shmdt(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmdt); + COUNTER_INC(sysvshm_check_shmdt); return (0); } -COUNTER_DECL(check_sysv_shmget); +COUNTER_DECL(sysvshm_check_shmget); static int -mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_test_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmget); + COUNTER_INC(sysvshm_check_shmget); return (0); } -COUNTER_DECL(check_kenv_dump); +COUNTER_DECL(kenv_check_dump); static int -mac_test_check_kenv_dump(struct ucred *cred) +mac_test_kenv_check_dump(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_dump); + COUNTER_INC(kenv_check_dump); return (0); } -COUNTER_DECL(check_kenv_get); +COUNTER_DECL(kenv_check_get); static int -mac_test_check_kenv_get(struct ucred *cred, char *name) +mac_test_kenv_check_get(struct ucred *cred, char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_get); + COUNTER_INC(kenv_check_get); return (0); } -COUNTER_DECL(check_kenv_set); +COUNTER_DECL(kenv_check_set); static int -mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) +mac_test_kenv_check_set(struct ucred *cred, char *name, char *value) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_set); + COUNTER_INC(kenv_check_set); return (0); } -COUNTER_DECL(check_kenv_unset); +COUNTER_DECL(kenv_check_unset); static int -mac_test_check_kenv_unset(struct ucred *cred, char *name) +mac_test_kenv_check_unset(struct ucred *cred, char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_unset); + COUNTER_INC(kenv_check_unset); return (0); } -COUNTER_DECL(check_kld_load); +COUNTER_DECL(kld_check_load); static int -mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_test_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *label) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(label, MAGIC_VNODE); - COUNTER_INC(check_kld_load); + COUNTER_INC(kld_check_load); return (0); } -COUNTER_DECL(check_kld_stat); +COUNTER_DECL(kld_check_stat); static int -mac_test_check_kld_stat(struct ucred *cred) +mac_test_kld_check_stat(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kld_stat); + COUNTER_INC(kld_check_stat); return (0); } -COUNTER_DECL(check_mount_stat); +COUNTER_DECL(mount_check_stat); static int -mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_test_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); - COUNTER_INC(check_mount_stat); + COUNTER_INC(mount_check_stat); return (0); } -COUNTER_DECL(check_pipe_ioctl); +COUNTER_DECL(pipe_check_ioctl); static int -mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_ioctl); + COUNTER_INC(pipe_check_ioctl); return (0); } -COUNTER_DECL(check_pipe_poll); +COUNTER_DECL(pipe_check_poll); static int -mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_poll); + COUNTER_INC(pipe_check_poll); return (0); } -COUNTER_DECL(check_pipe_read); +COUNTER_DECL(pipe_check_read); static int -mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_read); + COUNTER_INC(pipe_check_read); return (0); } -COUNTER_DECL(check_pipe_relabel); +COUNTER_DECL(pipe_check_relabel); static int -mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); LABEL_CHECK(newlabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_relabel); + COUNTER_INC(pipe_check_relabel); return (0); } -COUNTER_DECL(check_pipe_stat); +COUNTER_DECL(pipe_check_stat); static int -mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_stat); + COUNTER_INC(pipe_check_stat); return (0); } -COUNTER_DECL(check_pipe_write); +COUNTER_DECL(pipe_check_write); static int -mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_write); + COUNTER_INC(pipe_check_write); return (0); } -COUNTER_DECL(check_posix_sem); +COUNTER_DECL(posixsem_check); static int -mac_test_check_posix_sem(struct ucred *cred, struct ksem *ks, +mac_test_posixsem_check(struct ucred *cred, struct ksem *ks, struct label *kslabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); - COUNTER_INC(check_posix_sem); + COUNTER_INC(posixsem_check); return (0); } -COUNTER_DECL(check_proc_debug); +COUNTER_DECL(proc_check_debug); static int -mac_test_check_proc_debug(struct ucred *cred, struct proc *p) +mac_test_proc_check_debug(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_debug); + COUNTER_INC(proc_check_debug); return (0); } -COUNTER_DECL(check_proc_sched); +COUNTER_DECL(proc_check_sched); static int -mac_test_check_proc_sched(struct ucred *cred, struct proc *p) +mac_test_proc_check_sched(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_sched); + COUNTER_INC(proc_check_sched); return (0); } -COUNTER_DECL(check_proc_signal); +COUNTER_DECL(proc_check_signal); static int -mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_test_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_signal); + COUNTER_INC(proc_check_signal); return (0); } -COUNTER_DECL(check_proc_setaudit); +COUNTER_DECL(proc_check_setaudit); static int -mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setaudit); + COUNTER_INC(proc_check_setaudit); return (0); } -COUNTER_DECL(check_proc_setaudit_addr); +COUNTER_DECL(proc_check_setaudit_addr); static int -mac_test_check_proc_setaudit_addr(struct ucred *cred, +mac_test_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setaudit_addr); + COUNTER_INC(proc_check_setaudit_addr); return (0); } -COUNTER_DECL(check_proc_setauid); +COUNTER_DECL(proc_check_setauid); static int -mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) +mac_test_proc_check_setauid(struct ucred *cred, uid_t auid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setauid); + COUNTER_INC(proc_check_setauid); return (0); } -COUNTER_DECL(check_proc_setuid); +COUNTER_DECL(proc_check_setuid); static int -mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) +mac_test_proc_check_setuid(struct ucred *cred, uid_t uid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setuid); + COUNTER_INC(proc_check_setuid); return (0); } -COUNTER_DECL(check_proc_euid); +COUNTER_DECL(proc_check_euid); static int -mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) +mac_test_proc_check_seteuid(struct ucred *cred, uid_t euid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_euid); + COUNTER_INC(proc_check_euid); return (0); } -COUNTER_DECL(check_proc_setgid); +COUNTER_DECL(proc_check_setgid); static int -mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) +mac_test_proc_check_setgid(struct ucred *cred, gid_t gid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setgid); + COUNTER_INC(proc_check_setgid); return (0); } -COUNTER_DECL(check_proc_setegid); +COUNTER_DECL(proc_check_setegid); static int -mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) +mac_test_proc_check_setegid(struct ucred *cred, gid_t egid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setegid); + COUNTER_INC(proc_check_setegid); return (0); } -COUNTER_DECL(check_proc_setgroups); +COUNTER_DECL(proc_check_setgroups); static int -mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, +mac_test_proc_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setgroups); + COUNTER_INC(proc_check_setgroups); return (0); } -COUNTER_DECL(check_proc_setreuid); +COUNTER_DECL(proc_check_setreuid); static int -mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +mac_test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setreuid); + COUNTER_INC(proc_check_setreuid); return (0); } -COUNTER_DECL(check_proc_setregid); +COUNTER_DECL(proc_check_setregid); static int -mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +mac_test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setregid); + COUNTER_INC(proc_check_setregid); return (0); } -COUNTER_DECL(check_proc_setresuid); +COUNTER_DECL(proc_check_setresuid); static int -mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, +mac_test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setresuid); + COUNTER_INC(proc_check_setresuid); return (0); } -COUNTER_DECL(check_proc_setresgid); +COUNTER_DECL(proc_check_setresgid); static int -mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, +mac_test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setresgid); + COUNTER_INC(proc_check_setresgid); return (0); } -COUNTER_DECL(check_proc_wait); +COUNTER_DECL(proc_check_wait); static int -mac_test_check_proc_wait(struct ucred *cred, struct proc *p) +mac_test_proc_check_wait(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_wait); + COUNTER_INC(proc_check_wait); return (0); } -COUNTER_DECL(check_socket_accept); +COUNTER_DECL(socket_check_accept); static int -mac_test_check_socket_accept(struct ucred *cred, struct socket *so, +mac_test_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_accept); + COUNTER_INC(socket_check_accept); return (0); } -COUNTER_DECL(check_socket_bind); +COUNTER_DECL(socket_check_bind); static int -mac_test_check_socket_bind(struct ucred *cred, struct socket *so, +mac_test_socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_bind); + COUNTER_INC(socket_check_bind); return (0); } -COUNTER_DECL(check_socket_connect); +COUNTER_DECL(socket_check_connect); static int -mac_test_check_socket_connect(struct ucred *cred, struct socket *so, +mac_test_socket_check_connect(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_connect); + COUNTER_INC(socket_check_connect); return (0); } -COUNTER_DECL(check_socket_deliver); +COUNTER_DECL(socket_check_deliver); static int -mac_test_check_socket_deliver(struct socket *so, struct label *solabel, +mac_test_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(check_socket_deliver); + COUNTER_INC(socket_check_deliver); return (0); } -COUNTER_DECL(check_socket_listen); +COUNTER_DECL(socket_check_listen); static int -mac_test_check_socket_listen(struct ucred *cred, struct socket *so, +mac_test_socket_check_listen(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_listen); + COUNTER_INC(socket_check_listen); return (0); } -COUNTER_DECL(check_socket_poll); +COUNTER_DECL(socket_check_poll); static int -mac_test_check_socket_poll(struct ucred *cred, struct socket *so, +mac_test_socket_check_poll(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_poll); + COUNTER_INC(socket_check_poll); return (0); } -COUNTER_DECL(check_socket_receive); +COUNTER_DECL(socket_check_receive); static int -mac_test_check_socket_receive(struct ucred *cred, struct socket *so, +mac_test_socket_check_receive(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_receive); + COUNTER_INC(socket_check_receive); return (0); } -COUNTER_DECL(check_socket_relabel); +COUNTER_DECL(socket_check_relabel); static int -mac_test_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_test_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(newlabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_relabel); + COUNTER_INC(socket_check_relabel); return (0); } -COUNTER_DECL(check_socket_send); +COUNTER_DECL(socket_check_send); static int -mac_test_check_socket_send(struct ucred *cred, struct socket *so, +mac_test_socket_check_send(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_send); + COUNTER_INC(socket_check_send); return (0); } -COUNTER_DECL(check_socket_stat); +COUNTER_DECL(socket_check_stat); static int -mac_test_check_socket_stat(struct ucred *cred, struct socket *so, +mac_test_socket_check_stat(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_stat); + COUNTER_INC(socket_check_stat); return (0); } -COUNTER_DECL(check_socket_visible); +COUNTER_DECL(socket_check_visible); static int -mac_test_check_socket_visible(struct ucred *cred, struct socket *so, +mac_test_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_visible); + COUNTER_INC(socket_check_visible); return (0); } -COUNTER_DECL(check_system_acct); +COUNTER_DECL(system_check_acct); static int -mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_test_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_acct); + COUNTER_INC(system_check_acct); return (0); } -COUNTER_DECL(check_system_audit); +COUNTER_DECL(system_check_audit); static int -mac_test_check_system_audit(struct ucred *cred, void *record, int length) +mac_test_system_check_audit(struct ucred *cred, void *record, int length) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_audit); + COUNTER_INC(system_check_audit); return (0); } -COUNTER_DECL(check_system_auditctl); +COUNTER_DECL(system_check_auditctl); static int -mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_test_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_auditctl); + COUNTER_INC(system_check_auditctl); return (0); } -COUNTER_DECL(check_system_auditon); +COUNTER_DECL(system_check_auditon); static int -mac_test_check_system_auditon(struct ucred *cred, int cmd) +mac_test_system_check_auditon(struct ucred *cred, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_auditon); + COUNTER_INC(system_check_auditon); return (0); } -COUNTER_DECL(check_system_reboot); +COUNTER_DECL(system_check_reboot); static int -mac_test_check_system_reboot(struct ucred *cred, int how) +mac_test_system_check_reboot(struct ucred *cred, int how) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_reboot); + COUNTER_INC(system_check_reboot); return (0); } -COUNTER_DECL(check_system_swapoff); +COUNTER_DECL(system_check_swapoff); static int -mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_test_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_swapoff); + COUNTER_INC(system_check_swapoff); return (0); } -COUNTER_DECL(check_system_swapon); +COUNTER_DECL(system_check_swapon); static int -mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_test_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_swapon); + COUNTER_INC(system_check_swapon); return (0); } -COUNTER_DECL(check_system_sysctl); +COUNTER_DECL(system_check_sysctl); static int -mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_sysctl); + COUNTER_INC(system_check_sysctl); return (0); } -COUNTER_DECL(check_vnode_access); +COUNTER_DECL(vnode_check_access); static int -mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_access); + COUNTER_INC(vnode_check_access); return (0); } -COUNTER_DECL(check_vnode_chdir); +COUNTER_DECL(vnode_check_chdir); static int -mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_chdir); + COUNTER_INC(vnode_check_chdir); return (0); } -COUNTER_DECL(check_vnode_chroot); +COUNTER_DECL(vnode_check_chroot); static int -mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_chroot); + COUNTER_INC(vnode_check_chroot); return (0); } -COUNTER_DECL(check_vnode_create); +COUNTER_DECL(vnode_check_create); static int -mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_create); + COUNTER_INC(vnode_check_create); return (0); } -COUNTER_DECL(check_vnode_deleteacl); +COUNTER_DECL(vnode_check_deleteacl); static int -mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_deleteacl); + COUNTER_INC(vnode_check_deleteacl); return (0); } -COUNTER_DECL(check_vnode_deleteextattr); +COUNTER_DECL(vnode_check_deleteextattr); static int -mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_deleteextattr); + COUNTER_INC(vnode_check_deleteextattr); return (0); } -COUNTER_DECL(check_vnode_exec); +COUNTER_DECL(vnode_check_exec); static int -mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2134,41 +2138,41 @@ mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(check_vnode_exec); + COUNTER_INC(vnode_check_exec); return (0); } -COUNTER_DECL(check_vnode_getacl); +COUNTER_DECL(vnode_check_getacl); static int -mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_getacl); + COUNTER_INC(vnode_check_getacl); return (0); } -COUNTER_DECL(check_vnode_getextattr); +COUNTER_DECL(vnode_check_getextattr); static int -mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_getextattr); + COUNTER_INC(vnode_check_getextattr); return (0); } -COUNTER_DECL(check_vnode_link); +COUNTER_DECL(vnode_check_link); static int -mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2176,66 +2180,66 @@ mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_link); + COUNTER_INC(vnode_check_link); return (0); } -COUNTER_DECL(check_vnode_listextattr); +COUNTER_DECL(vnode_check_listextattr); static int -mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_listextattr); + COUNTER_INC(vnode_check_listextattr); return (0); } -COUNTER_DECL(check_vnode_lookup); +COUNTER_DECL(vnode_check_lookup); static int -mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_lookup); + COUNTER_INC(vnode_check_lookup); return (0); } -COUNTER_DECL(check_vnode_mmap); +COUNTER_DECL(vnode_check_mmap); static int -mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_mmap); + COUNTER_INC(vnode_check_mmap); return (0); } -COUNTER_DECL(check_vnode_open); +COUNTER_DECL(vnode_check_open); static int -mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_open); + COUNTER_INC(vnode_check_open); return (0); } -COUNTER_DECL(check_vnode_poll); +COUNTER_DECL(vnode_check_poll); static int -mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2243,14 +2247,14 @@ mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_poll); + COUNTER_INC(vnode_check_poll); return (0); } -COUNTER_DECL(check_vnode_read); +COUNTER_DECL(vnode_check_read); static int -mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2258,54 +2262,54 @@ mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_read); + COUNTER_INC(vnode_check_read); return (0); } -COUNTER_DECL(check_vnode_readdir); +COUNTER_DECL(vnode_check_readdir); static int -mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_readdir); + COUNTER_INC(vnode_check_readdir); return (0); } -COUNTER_DECL(check_vnode_readlink); +COUNTER_DECL(vnode_check_readlink); static int -mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_readlink); + COUNTER_INC(vnode_check_readlink); return (0); } -COUNTER_DECL(check_vnode_relabel); +COUNTER_DECL(vnode_check_relabel); static int -mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(newlabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_relabel); + COUNTER_INC(vnode_check_relabel); return (0); } -COUNTER_DECL(check_vnode_rename_from); +COUNTER_DECL(vnode_check_rename_from); static int -mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2313,14 +2317,14 @@ mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_rename_from); + COUNTER_INC(vnode_check_rename_from); return (0); } -COUNTER_DECL(check_vnode_rename_to); +COUNTER_DECL(vnode_check_rename_to); static int -mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2328,106 +2332,106 @@ mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_rename_to); + COUNTER_INC(vnode_check_rename_to); return (0); } -COUNTER_DECL(check_vnode_revoke); +COUNTER_DECL(vnode_check_revoke); static int -mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_revoke); + COUNTER_INC(vnode_check_revoke); return (0); } -COUNTER_DECL(check_vnode_setacl); +COUNTER_DECL(vnode_check_setacl); static int -mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setacl); + COUNTER_INC(vnode_check_setacl); return (0); } -COUNTER_DECL(check_vnode_setextattr); +COUNTER_DECL(vnode_check_setextattr); static int -mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setextattr); + COUNTER_INC(vnode_check_setextattr); return (0); } -COUNTER_DECL(check_vnode_setflags); +COUNTER_DECL(vnode_check_setflags); static int -mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setflags); + COUNTER_INC(vnode_check_setflags); return (0); } -COUNTER_DECL(check_vnode_setmode); +COUNTER_DECL(vnode_check_setmode); static int -mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setmode); + COUNTER_INC(vnode_check_setmode); return (0); } -COUNTER_DECL(check_vnode_setowner); +COUNTER_DECL(vnode_check_setowner); static int -mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setowner); + COUNTER_INC(vnode_check_setowner); return (0); } -COUNTER_DECL(check_vnode_setutimes); +COUNTER_DECL(vnode_check_setutimes); static int -mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setutimes); + COUNTER_INC(vnode_check_setutimes); return (0); } -COUNTER_DECL(check_vnode_stat); +COUNTER_DECL(vnode_check_stat); static int -mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2435,14 +2439,14 @@ mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_stat); + COUNTER_INC(vnode_check_stat); return (0); } -COUNTER_DECL(check_vnode_unlink); +COUNTER_DECL(vnode_check_unlink); static int -mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2450,14 +2454,14 @@ mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_unlink); + COUNTER_INC(vnode_check_unlink); return (0); } -COUNTER_DECL(check_vnode_write); +COUNTER_DECL(vnode_check_write); static int -mac_test_check_vnode_write(struct ucred *active_cred, +mac_test_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2465,224 +2469,225 @@ mac_test_check_vnode_write(struct ucred *active_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_write); + COUNTER_INC(vnode_check_write); return (0); } static struct mac_policy_ops mac_test_ops = { - .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, - .mpo_init_cred_label = mac_test_init_cred_label, - .mpo_init_devfs_label = mac_test_init_devfs_label, - .mpo_init_ifnet_label = mac_test_init_ifnet_label, - .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, - .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, - .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, - .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, - .mpo_init_inpcb_label = mac_test_init_inpcb_label, - .mpo_init_ipq_label = mac_test_init_ipq_label, - .mpo_init_mbuf_label = mac_test_init_mbuf_label, - .mpo_init_mount_label = mac_test_init_mount_label, - .mpo_init_pipe_label = mac_test_init_pipe_label, - .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, - .mpo_init_proc_label = mac_test_init_proc_label, - .mpo_init_socket_label = mac_test_init_socket_label, - .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, - .mpo_init_vnode_label = mac_test_init_vnode_label, - .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, - .mpo_destroy_cred_label = mac_test_destroy_cred_label, - .mpo_destroy_devfs_label = mac_test_destroy_devfs_label, - .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, - .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, - .mpo_destroy_sysv_msgqueue_label = - mac_test_destroy_sysv_msgqueue_label, - .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, - .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, - .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, - .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, - .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, - .mpo_destroy_mount_label = mac_test_destroy_mount_label, - .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, - .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, - .mpo_destroy_proc_label = mac_test_destroy_proc_label, - .mpo_destroy_socket_label = mac_test_destroy_socket_label, - .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, - .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, - .mpo_copy_cred_label = mac_test_copy_cred_label, - .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, - .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, - .mpo_copy_pipe_label = mac_test_copy_pipe_label, - .mpo_copy_socket_label = mac_test_copy_socket_label, - .mpo_copy_vnode_label = mac_test_copy_vnode_label, - .mpo_externalize_cred_label = mac_test_externalize_label, - .mpo_externalize_ifnet_label = mac_test_externalize_label, - .mpo_externalize_pipe_label = mac_test_externalize_label, - .mpo_externalize_socket_label = mac_test_externalize_label, - .mpo_externalize_socket_peer_label = mac_test_externalize_label, - .mpo_externalize_vnode_label = mac_test_externalize_label, - .mpo_internalize_cred_label = mac_test_internalize_label, - .mpo_internalize_ifnet_label = mac_test_internalize_label, - .mpo_internalize_pipe_label = mac_test_internalize_label, - .mpo_internalize_socket_label = mac_test_internalize_label, - .mpo_internalize_vnode_label = mac_test_internalize_label, - .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, - .mpo_create_devfs_device = mac_test_create_devfs_device, - .mpo_create_devfs_directory = mac_test_create_devfs_directory, - .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, - .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, - .mpo_create_mount = mac_test_create_mount, - .mpo_relabel_vnode = mac_test_relabel_vnode, - .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, - .mpo_update_devfs = mac_test_update_devfs, - .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, - .mpo_create_pipe = mac_test_create_pipe, - .mpo_create_posix_sem = mac_test_create_posix_sem, - .mpo_create_socket = mac_test_create_socket, - .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, - .mpo_relabel_pipe = mac_test_relabel_pipe, - .mpo_relabel_socket = mac_test_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_test_create_bpfdesc, - .mpo_create_ifnet = mac_test_create_ifnet, - .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, - .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_test_create_sysv_sem, - .mpo_create_sysv_shm = mac_test_create_sysv_shm, - .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, - .mpo_create_fragment = mac_test_create_fragment, - .mpo_create_ipq = mac_test_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, + .mpo_bpfdesc_init_label = mac_test_bpfdesc_init_label, + .mpo_cred_init_label = mac_test_cred_init_label, + .mpo_devfs_init_label = mac_test_devfs_init_label, + .mpo_ifnet_init_label = mac_test_ifnet_init_label, + .mpo_sysvmsg_init_label = mac_test_sysvmsg_init_label, + .mpo_sysvmsq_init_label = mac_test_sysvmsq_init_label, + .mpo_sysvsem_init_label = mac_test_sysvsem_init_label, + .mpo_sysvshm_init_label = mac_test_sysvshm_init_label, + .mpo_inpcb_init_label = mac_test_inpcb_init_label, + .mpo_ipq_init_label = mac_test_ipq_init_label, + .mpo_mbuf_init_label = mac_test_mbuf_init_label, + .mpo_mount_init_label = mac_test_mount_init_label, + .mpo_pipe_init_label = mac_test_pipe_init_label, + .mpo_posixsem_init_label = mac_test_posixsem_init_label, + .mpo_proc_init_label = mac_test_proc_init_label, + .mpo_socket_init_label = mac_test_socket_init_label, + .mpo_socketpeer_init_label = mac_test_socketpeer_init_label, + .mpo_vnode_init_label = mac_test_vnode_init_label, + .mpo_bpfdesc_destroy_label = mac_test_bpfdesc_destroy_label, + .mpo_cred_destroy_label = mac_test_cred_destroy_label, + .mpo_devfs_destroy_label = mac_test_devfs_destroy_label, + .mpo_ifnet_destroy_label = mac_test_ifnet_destroy_label, + .mpo_sysvmsg_destroy_label = mac_test_sysvmsg_destroy_label, + .mpo_sysvmsq_destroy_label = + mac_test_sysvmsq_destroy_label, + .mpo_sysvsem_destroy_label = mac_test_sysvsem_destroy_label, + .mpo_sysvshm_destroy_label = mac_test_sysvshm_destroy_label, + .mpo_inpcb_destroy_label = mac_test_inpcb_destroy_label, + .mpo_ipq_destroy_label = mac_test_ipq_destroy_label, + .mpo_mbuf_destroy_label = mac_test_mbuf_destroy_label, + .mpo_mount_destroy_label = mac_test_mount_destroy_label, + .mpo_pipe_destroy_label = mac_test_pipe_destroy_label, + .mpo_posixsem_destroy_label = mac_test_posixsem_destroy_label, + .mpo_proc_destroy_label = mac_test_proc_destroy_label, + .mpo_socket_destroy_label = mac_test_socket_destroy_label, + .mpo_socketpeer_destroy_label = mac_test_socketpeer_destroy_label, + .mpo_vnode_destroy_label = mac_test_vnode_destroy_label, + .mpo_cred_copy_label = mac_test_cred_copy_label, + .mpo_ifnet_copy_label = mac_test_ifnet_copy_label, + .mpo_mbuf_copy_label = mac_test_mbuf_copy_label, + .mpo_pipe_copy_label = mac_test_pipe_copy_label, + .mpo_socket_copy_label = mac_test_socket_copy_label, + .mpo_vnode_copy_label = mac_test_vnode_copy_label, + .mpo_cred_externalize_label = mac_test_externalize_label, + .mpo_ifnet_externalize_label = mac_test_externalize_label, + .mpo_pipe_externalize_label = mac_test_externalize_label, + .mpo_socket_externalize_label = mac_test_externalize_label, + .mpo_socketpeer_externalize_label = mac_test_externalize_label, + .mpo_vnode_externalize_label = mac_test_externalize_label, + .mpo_cred_internalize_label = mac_test_internalize_label, + .mpo_ifnet_internalize_label = mac_test_internalize_label, + .mpo_pipe_internalize_label = mac_test_internalize_label, + .mpo_socket_internalize_label = mac_test_internalize_label, + .mpo_vnode_internalize_label = mac_test_internalize_label, + .mpo_devfs_vnode_associate = mac_test_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_test_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_test_vnode_associate_singlelabel, + .mpo_devfs_create_device = mac_test_devfs_create_device, + .mpo_devfs_create_directory = mac_test_devfs_create_directory, + .mpo_devfs_create_symlink = mac_test_devfs_create_symlink, + .mpo_vnode_create_extattr = mac_test_vnode_create_extattr, + .mpo_mount_create = mac_test_mount_create, + .mpo_vnode_relabel = mac_test_vnode_relabel, + .mpo_vnode_setlabel_extattr = mac_test_vnode_setlabel_extattr, + .mpo_devfs_update = mac_test_devfs_update, + .mpo_socket_create_mbuf = mac_test_socket_create_mbuf, + .mpo_pipe_create = mac_test_pipe_create, + .mpo_posixsem_create = mac_test_posixsem_create, + .mpo_socket_create = mac_test_socket_create, + .mpo_socket_newconn = mac_test_socket_newconn, + .mpo_pipe_relabel = mac_test_pipe_relabel, + .mpo_socket_relabel = mac_test_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_test_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_test_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_test_bpfdesc_create, + .mpo_ifnet_create = mac_test_ifnet_create, + .mpo_inpcb_create = mac_test_inpcb_create, + .mpo_sysvmsg_create = mac_test_sysvmsg_create, + .mpo_sysvmsq_create = mac_test_sysvmsq_create, + .mpo_sysvsem_create = mac_test_sysvsem_create, + .mpo_sysvshm_create = mac_test_sysvshm_create, + .mpo_ipq_reassemble = mac_test_ipq_reassemble, + .mpo_netinet_fragment = mac_test_netinet_fragment, + .mpo_ipq_create = mac_test_ipq_create, + .mpo_inpcb_create_mbuf = mac_test_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, - .mpo_fragment_match = mac_test_fragment_match, - .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, - .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, - .mpo_relabel_ifnet = mac_test_relabel_ifnet, - .mpo_update_ipq = mac_test_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_test_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_test_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_test_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_test_mbuf_create_netlayer, + .mpo_ipq_match = mac_test_ipq_match, + .mpo_netinet_icmp_reply = mac_test_netinet_icmp_reply, + .mpo_netinet_tcp_reply = mac_test_netinet_tcp_reply, + .mpo_ifnet_relabel = mac_test_ifnet_relabel, + .mpo_ipq_update = mac_test_ipq_update, .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, - .mpo_execve_transition = mac_test_execve_transition, - .mpo_execve_will_transition = mac_test_execve_will_transition, - .mpo_create_proc0 = mac_test_create_proc0, - .mpo_create_proc1 = mac_test_create_proc1, - .mpo_relabel_cred = mac_test_relabel_cred, + .mpo_vnode_execve_transition = mac_test_vnode_execve_transition, + .mpo_vnode_execve_will_transition = + mac_test_vnode_execve_will_transition, + .mpo_proc_create_swapper = mac_test_proc_create_swapper, + .mpo_proc_create_init = mac_test_proc_create_init, + .mpo_cred_relabel = mac_test_cred_relabel, .mpo_thread_userret = mac_test_thread_userret, - .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_test_check_cred_relabel, - .mpo_check_cred_visible = mac_test_check_cred_visible, - .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, - .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, - .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, - .mpo_check_sysv_semget = mac_test_check_sysv_semget, - .mpo_check_sysv_semop = mac_test_check_sysv_semop, - .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, - .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, - .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, - .mpo_check_kenv_dump = mac_test_check_kenv_dump, - .mpo_check_kenv_get = mac_test_check_kenv_get, - .mpo_check_kenv_set = mac_test_check_kenv_set, - .mpo_check_kenv_unset = mac_test_check_kenv_unset, - .mpo_check_kld_load = mac_test_check_kld_load, - .mpo_check_kld_stat = mac_test_check_kld_stat, - .mpo_check_mount_stat = mac_test_check_mount_stat, - .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_test_check_pipe_poll, - .mpo_check_pipe_read = mac_test_check_pipe_read, - .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, - .mpo_check_pipe_stat = mac_test_check_pipe_stat, - .mpo_check_pipe_write = mac_test_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, - .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, - .mpo_check_posix_sem_open = mac_test_check_posix_sem, - .mpo_check_posix_sem_post = mac_test_check_posix_sem, - .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, - .mpo_check_posix_sem_wait = mac_test_check_posix_sem, - .mpo_check_proc_debug = mac_test_check_proc_debug, - .mpo_check_proc_sched = mac_test_check_proc_sched, - .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, - .mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr, - .mpo_check_proc_setauid = mac_test_check_proc_setauid, - .mpo_check_proc_setuid = mac_test_check_proc_setuid, - .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, - .mpo_check_proc_setgid = mac_test_check_proc_setgid, - .mpo_check_proc_setegid = mac_test_check_proc_setegid, - .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, - .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, - .mpo_check_proc_setregid = mac_test_check_proc_setregid, - .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, - .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, - .mpo_check_proc_signal = mac_test_check_proc_signal, - .mpo_check_proc_wait = mac_test_check_proc_wait, - .mpo_check_socket_accept = mac_test_check_socket_accept, - .mpo_check_socket_bind = mac_test_check_socket_bind, - .mpo_check_socket_connect = mac_test_check_socket_connect, - .mpo_check_socket_deliver = mac_test_check_socket_deliver, - .mpo_check_socket_listen = mac_test_check_socket_listen, - .mpo_check_socket_poll = mac_test_check_socket_poll, - .mpo_check_socket_receive = mac_test_check_socket_receive, - .mpo_check_socket_relabel = mac_test_check_socket_relabel, - .mpo_check_socket_send = mac_test_check_socket_send, - .mpo_check_socket_stat = mac_test_check_socket_stat, - .mpo_check_socket_visible = mac_test_check_socket_visible, - .mpo_check_system_acct = mac_test_check_system_acct, - .mpo_check_system_audit = mac_test_check_system_audit, - .mpo_check_system_auditctl = mac_test_check_system_auditctl, - .mpo_check_system_auditon = mac_test_check_system_auditon, - .mpo_check_system_reboot = mac_test_check_system_reboot, - .mpo_check_system_swapoff = mac_test_check_system_swapoff, - .mpo_check_system_swapon = mac_test_check_system_swapon, - .mpo_check_system_sysctl = mac_test_check_system_sysctl, - .mpo_check_vnode_access = mac_test_check_vnode_access, - .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, - .mpo_check_vnode_create = mac_test_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_test_check_vnode_exec, - .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, - .mpo_check_vnode_link = mac_test_check_vnode_link, - .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, - .mpo_check_vnode_open = mac_test_check_vnode_open, - .mpo_check_vnode_poll = mac_test_check_vnode_poll, - .mpo_check_vnode_read = mac_test_check_vnode_read, - .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_test_check_vnode_stat, - .mpo_check_vnode_unlink = mac_test_check_vnode_unlink, - .mpo_check_vnode_write = mac_test_check_vnode_write, + .mpo_sysvmsg_cleanup = mac_test_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_test_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_test_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_test_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_test_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_test_cred_check_relabel, + .mpo_cred_check_visible = mac_test_cred_check_visible, + .mpo_ifnet_check_relabel = mac_test_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_test_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_test_inpcb_check_deliver, + .mpo_sysvmsq_check_msgmsq = mac_test_sysvmsq_check_msgmsq, + .mpo_sysvmsq_check_msgrcv = mac_test_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_test_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_test_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_test_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_test_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_test_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_test_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_test_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_test_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_test_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_test_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmdt = mac_test_sysvshm_check_shmdt, + .mpo_sysvshm_check_shmget = mac_test_sysvshm_check_shmget, + .mpo_kenv_check_dump = mac_test_kenv_check_dump, + .mpo_kenv_check_get = mac_test_kenv_check_get, + .mpo_kenv_check_set = mac_test_kenv_check_set, + .mpo_kenv_check_unset = mac_test_kenv_check_unset, + .mpo_kld_check_load = mac_test_kld_check_load, + .mpo_kld_check_stat = mac_test_kld_check_stat, + .mpo_mount_check_stat = mac_test_mount_check_stat, + .mpo_pipe_check_ioctl = mac_test_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_test_pipe_check_poll, + .mpo_pipe_check_read = mac_test_pipe_check_read, + .mpo_pipe_check_relabel = mac_test_pipe_check_relabel, + .mpo_pipe_check_stat = mac_test_pipe_check_stat, + .mpo_pipe_check_write = mac_test_pipe_check_write, + .mpo_posixsem_check_destroy = mac_test_posixsem_check, + .mpo_posixsem_check_getvalue = mac_test_posixsem_check, + .mpo_posixsem_check_open = mac_test_posixsem_check, + .mpo_posixsem_check_post = mac_test_posixsem_check, + .mpo_posixsem_check_unlink = mac_test_posixsem_check, + .mpo_posixsem_check_wait = mac_test_posixsem_check, + .mpo_proc_check_debug = mac_test_proc_check_debug, + .mpo_proc_check_sched = mac_test_proc_check_sched, + .mpo_proc_check_setaudit = mac_test_proc_check_setaudit, + .mpo_proc_check_setaudit_addr = mac_test_proc_check_setaudit_addr, + .mpo_proc_check_setauid = mac_test_proc_check_setauid, + .mpo_proc_check_setuid = mac_test_proc_check_setuid, + .mpo_proc_check_seteuid = mac_test_proc_check_seteuid, + .mpo_proc_check_setgid = mac_test_proc_check_setgid, + .mpo_proc_check_setegid = mac_test_proc_check_setegid, + .mpo_proc_check_setgroups = mac_test_proc_check_setgroups, + .mpo_proc_check_setreuid = mac_test_proc_check_setreuid, + .mpo_proc_check_setregid = mac_test_proc_check_setregid, + .mpo_proc_check_setresuid = mac_test_proc_check_setresuid, + .mpo_proc_check_setresgid = mac_test_proc_check_setresgid, + .mpo_proc_check_signal = mac_test_proc_check_signal, + .mpo_proc_check_wait = mac_test_proc_check_wait, + .mpo_socket_check_accept = mac_test_socket_check_accept, + .mpo_socket_check_bind = mac_test_socket_check_bind, + .mpo_socket_check_connect = mac_test_socket_check_connect, + .mpo_socket_check_deliver = mac_test_socket_check_deliver, + .mpo_socket_check_listen = mac_test_socket_check_listen, + .mpo_socket_check_poll = mac_test_socket_check_poll, + .mpo_socket_check_receive = mac_test_socket_check_receive, + .mpo_socket_check_relabel = mac_test_socket_check_relabel, + .mpo_socket_check_send = mac_test_socket_check_send, + .mpo_socket_check_stat = mac_test_socket_check_stat, + .mpo_socket_check_visible = mac_test_socket_check_visible, + .mpo_system_check_acct = mac_test_system_check_acct, + .mpo_system_check_audit = mac_test_system_check_audit, + .mpo_system_check_auditctl = mac_test_system_check_auditctl, + .mpo_system_check_auditon = mac_test_system_check_auditon, + .mpo_system_check_reboot = mac_test_system_check_reboot, + .mpo_system_check_swapoff = mac_test_system_check_swapoff, + .mpo_system_check_swapon = mac_test_system_check_swapon, + .mpo_system_check_sysctl = mac_test_system_check_sysctl, + .mpo_vnode_check_access = mac_test_vnode_check_access, + .mpo_vnode_check_chdir = mac_test_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_test_vnode_check_chroot, + .mpo_vnode_check_create = mac_test_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_test_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_test_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_test_vnode_check_exec, + .mpo_vnode_check_getacl = mac_test_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_test_vnode_check_getextattr, + .mpo_vnode_check_link = mac_test_vnode_check_link, + .mpo_vnode_check_listextattr = mac_test_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_test_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_test_vnode_check_mmap, + .mpo_vnode_check_open = mac_test_vnode_check_open, + .mpo_vnode_check_poll = mac_test_vnode_check_poll, + .mpo_vnode_check_read = mac_test_vnode_check_read, + .mpo_vnode_check_readdir = mac_test_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_test_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_test_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_test_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_test_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_test_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_test_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_test_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_test_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_test_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_test_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_test_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_test_vnode_check_stat, + .mpo_vnode_check_unlink = mac_test_vnode_check_unlink, + .mpo_vnode_check_write = mac_test_vnode_check_write, }; MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", |
