diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2003-11-12 03:14:31 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2003-11-12 03:14:31 +0000 |
| commit | eca8a663d442468f64e21ed869817b9048ab5a7b (patch) | |
| tree | a3d104511a2cb91c797ff9c5bcc6f9c70abc63ce | |
| parent | 5c957adbf1741a33bb35cf087f7ee81de42e6ac2 (diff) | |
| download | src-eca8a663d442468f64e21ed869817b9048ab5a7b.tar.gz src-eca8a663d442468f64e21ed869817b9048ab5a7b.zip | |
Notes
29 files changed, 951 insertions, 746 deletions
diff --git a/sys/conf/files b/sys/conf/files index 09e194404ae3..b5e3db3c99f7 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1618,6 +1618,7 @@ posix4/ksched.c optional _kposix_priority_scheduling posix4/p1003_1b.c standard posix4/posix4_mib.c standard kern/uipc_sem.c optional p1003_1b_semaphores +security/mac/mac_label.c optional mac security/mac/mac_net.c optional mac security/mac/mac_pipe.c optional mac security/mac/mac_process.c optional mac diff --git a/sys/fs/devfs/devfs.h b/sys/fs/devfs/devfs.h index 7c660ec0f351..38ed7f8778d1 100644 --- a/sys/fs/devfs/devfs.h +++ b/sys/fs/devfs/devfs.h @@ -159,7 +159,7 @@ struct devfs_dirent { mode_t de_mode; uid_t de_uid; gid_t de_gid; - struct label de_label; + struct label *de_label; struct timespec de_atime; struct timespec de_mtime; struct timespec de_ctime; diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index d55e9f38eb67..8df8e88f1628 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -167,9 +167,8 @@ kern_execve(td, fname, argv, envv, mac_p) int credential_changing; int textset; #ifdef MAC - struct label interplabel; /* label of the interpreted vnode */ - struct label execlabel; /* optional label argument */ - int will_transition, interplabelvalid = 0; + struct label *interplabel = NULL; + int will_transition; #endif imgp = &image_params; @@ -222,7 +221,7 @@ kern_execve(td, fname, argv, envv, mac_p) imgp->auxarg_size = 0; #ifdef MAC - error = mac_execve_enter(imgp, mac_p, &execlabel); + error = mac_execve_enter(imgp, mac_p); if (error) { mtx_lock(&Giant); goto exec_fail; @@ -336,9 +335,8 @@ interpret: /* free name buffer and old vnode */ NDFREE(ndp, NDF_ONLY_PNBUF); #ifdef MAC - mac_init_vnode_label(&interplabel); - mac_copy_vnode_label(&ndp->ni_vp->v_label, &interplabel); - interplabelvalid = 1; + interplabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel); #endif vput(ndp->ni_vp); vm_object_deallocate(imgp->object); @@ -452,7 +450,7 @@ interpret: attr.va_gid; #ifdef MAC will_transition = mac_execve_will_transition(oldcred, imgp->vp, - interplabelvalid ? &interplabel : NULL, imgp); + interplabel, imgp); credential_changing |= will_transition; #endif @@ -502,7 +500,7 @@ interpret: #ifdef MAC if (will_transition) { mac_execve_transition(oldcred, newcred, imgp->vp, - interplabelvalid ? &interplabel : NULL, imgp); + interplabel, imgp); } #endif /* @@ -654,8 +652,8 @@ exec_fail: /* sorry, no more process anymore. exit gracefully */ #ifdef MAC mac_execve_exit(imgp); - if (interplabelvalid) - mac_destroy_vnode_label(&interplabel); + if (interplabel != NULL) + mac_vnode_label_free(interplabel); #endif exit1(td, W_EXITCODE(0, SIGABRT)); /* NOT REACHED */ @@ -664,8 +662,8 @@ exec_fail: done2: #ifdef MAC mac_execve_exit(imgp); - if (interplabelvalid) - mac_destroy_vnode_label(&interplabel); + if (interplabel != NULL) + mac_vnode_label_free(interplabel); #endif mtx_unlock(&Giant); return (error); diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index c45900379dcb..f9adf9bee8d0 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -256,6 +256,7 @@ mac_init(void) LIST_INIT(&mac_static_policy_list); LIST_INIT(&mac_policy_list); + mac_labelzone_init(); mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); cv_init(&mac_policy_cv, "mac_policy_cv"); @@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&tcred->cr_label, elements, + error = mac_externalize_cred_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&td->td_ucred->cr_label, + error = mac_externalize_cred_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -619,7 +620,7 @@ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; - struct label intlabel; + struct label *intlabel; struct proc *p; struct mac mac; char *buffer; @@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) return (error); } - mac_init_cred_label(&intlabel); - error = mac_internalize_cred_label(&intlabel, buffer); + intlabel = mac_cred_label_alloc(); + error = mac_internalize_cred_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_cred_label(&intlabel); - return (error); - } + if (error) + goto out; newcred = crget(); @@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, &intlabel); + mac_relabel_cred(newcred, intlabel); p->p_ucred = newcred; /* @@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crfree(oldcred); out: - mac_destroy_cred_label(&intlabel); + mac_cred_label_free(intlabel); return (error); } @@ -694,7 +693,7 @@ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { char *elements, *buffer; - struct label intlabel; + struct label *intlabel; struct file *fp; struct mac mac; struct vnode *vp; @@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_VNODE: vp = fp->f_vnode; - mac_init_vnode_label(&intlabel); + intlabel = mac_vnode_label_alloc(); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(&vp->v_label, &intlabel); + mac_copy_vnode_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = fp->f_data; - mac_init_pipe_label(&intlabel); + intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_label, &intlabel); + mac_copy_pipe_label(pipe->pipe_label, intlabel); PIPE_UNLOCK(pipe); break; default: @@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: if (error == 0) - error = mac_externalize_vnode_label(&intlabel, + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - error = mac_externalize_pipe_label(&intlabel, elements, + error = mac_externalize_pipe_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: panic("__mac_get_fd: corrupted label_type"); @@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -895,7 +894,7 @@ out: int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { - struct label intlabel; + struct label *intlabel; struct pipe *pipe; struct file *fp; struct mount *mp; @@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); if (error) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vp = fp->f_vnode; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - mac_init_pipe_label(&intlabel); - error = mac_internalize_pipe_label(&intlabel, buffer); + intlabel = mac_pipe_label_alloc(); + error = mac_internalize_pipe_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, - &intlabel); + intlabel); PIPE_UNLOCK(pipe); } - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: @@ -983,7 +982,7 @@ out: int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } @@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) int __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } diff --git a/sys/net/bpfdesc.h b/sys/net/bpfdesc.h index 73dcc90bb15a..02c79ebf4c92 100644 --- a/sys/net/bpfdesc.h +++ b/sys/net/bpfdesc.h @@ -43,7 +43,6 @@ #ifndef _NET_BPFDESC_H_ #define _NET_BPFDESC_H_ -#include <sys/_label.h> #include <sys/callout.h> #include <sys/selinfo.h> @@ -93,7 +92,7 @@ struct bpf_d { #endif struct mtx bd_mtx; /* mutex for this descriptor */ struct callout bd_callout; /* for BPF timeouts with select */ - struct label bd_label; /* MAC label for descriptor */ + struct label *bd_label; /* MAC label for descriptor */ }; /* Values for bd_state */ diff --git a/sys/net/if_var.h b/sys/net/if_var.h index 52cee5573b47..c77498f7366a 100644 --- a/sys/net/if_var.h +++ b/sys/net/if_var.h @@ -74,7 +74,6 @@ struct socket; struct ether_header; #endif -#include <sys/_label.h> /* struct label */ #include <sys/queue.h> /* get TAILQ macros */ #ifdef _KERNEL @@ -180,7 +179,7 @@ struct ifnet { struct ifqueue *if_poll_slowq; /* input queue for slow devices */ struct ifprefixhead if_prefixhead; /* list of prefixes per if */ u_int8_t *if_broadcastaddr; /* linklevel broadcast bytestring */ - struct label if_label; /* interface MAC label */ + struct label *if_label; /* interface MAC label */ void *if_afdata[AF_MAX]; int if_afdata_initialized; diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index 881d40c5a10b..1b9d6c5aa583 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -39,10 +39,6 @@ #include <sys/queue.h> -#ifdef _KERNEL -#include <sys/_label.h> -#endif - /* * Overlay for ip header used by other protocols (tcp, udp). */ @@ -71,7 +67,7 @@ struct ipq { u_char ipq_nfrags; /* # frags in this packet */ u_int32_t ipq_div_info; /* ipfw divert port & flags */ u_int16_t ipq_div_cookie; /* ipfw divert cookie */ - struct label ipq_label; /* MAC label */ + struct label *ipq_label; /* MAC label */ }; #endif /* _KERNEL */ diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index c45900379dcb..f9adf9bee8d0 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -256,6 +256,7 @@ mac_init(void) LIST_INIT(&mac_static_policy_list); LIST_INIT(&mac_policy_list); + mac_labelzone_init(); mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); cv_init(&mac_policy_cv, "mac_policy_cv"); @@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&tcred->cr_label, elements, + error = mac_externalize_cred_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&td->td_ucred->cr_label, + error = mac_externalize_cred_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -619,7 +620,7 @@ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; - struct label intlabel; + struct label *intlabel; struct proc *p; struct mac mac; char *buffer; @@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) return (error); } - mac_init_cred_label(&intlabel); - error = mac_internalize_cred_label(&intlabel, buffer); + intlabel = mac_cred_label_alloc(); + error = mac_internalize_cred_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_cred_label(&intlabel); - return (error); - } + if (error) + goto out; newcred = crget(); @@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, &intlabel); + mac_relabel_cred(newcred, intlabel); p->p_ucred = newcred; /* @@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crfree(oldcred); out: - mac_destroy_cred_label(&intlabel); + mac_cred_label_free(intlabel); return (error); } @@ -694,7 +693,7 @@ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { char *elements, *buffer; - struct label intlabel; + struct label *intlabel; struct file *fp; struct mac mac; struct vnode *vp; @@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_VNODE: vp = fp->f_vnode; - mac_init_vnode_label(&intlabel); + intlabel = mac_vnode_label_alloc(); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(&vp->v_label, &intlabel); + mac_copy_vnode_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = fp->f_data; - mac_init_pipe_label(&intlabel); + intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_label, &intlabel); + mac_copy_pipe_label(pipe->pipe_label, intlabel); PIPE_UNLOCK(pipe); break; default: @@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: if (error == 0) - error = mac_externalize_vnode_label(&intlabel, + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - error = mac_externalize_pipe_label(&intlabel, elements, + error = mac_externalize_pipe_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: panic("__mac_get_fd: corrupted label_type"); @@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -895,7 +894,7 @@ out: int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { - struct label intlabel; + struct label *intlabel; struct pipe *pipe; struct file *fp; struct mount *mp; @@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); if (error) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vp = fp->f_vnode; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - mac_init_pipe_label(&intlabel); - error = mac_internalize_pipe_label(&intlabel, buffer); + intlabel = mac_pipe_label_alloc(); + error = mac_internalize_pipe_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, - &intlabel); + intlabel); PIPE_UNLOCK(pipe); } - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: @@ -983,7 +982,7 @@ out: int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } @@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) int __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 7955c25aa611..1dc6bf111fae 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -144,7 +144,6 @@ int mac_init_mbuf_tag(struct m_tag *, int flag); void mac_init_mount(struct mount *); void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); -void mac_init_vnode_label(struct label *); void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); void mac_copy_vnode_label(struct label *, struct label *label); void mac_destroy_bpfdesc(struct bpf_d *); @@ -158,7 +157,12 @@ void mac_destroy_proc(struct proc *); void mac_destroy_mbuf_tag(struct m_tag *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); -void mac_destroy_vnode_label(struct label *); + +struct label *mac_cred_label_alloc(void); +void mac_cred_label_free(struct label *label); +struct label *mac_vnode_label_alloc(void); +void mac_vnode_label_free(struct label *label); +void mac_destroy_vnode_label(struct label *); /* * Labeling event operations: file system objects, and things that @@ -220,8 +224,7 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); -int mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabel); +int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *interpvnodelabel, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index b07cf6fd32c4..957057bd002f 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -59,6 +59,7 @@ extern struct mac_policy_list_head mac_policy_list; extern struct mac_policy_list_head mac_static_policy_list; extern int mac_late; extern int mac_enforce_process; +extern int mac_enforce_sysv; extern int mac_enforce_vm; #ifndef MAC_ALWAYS_LABEL_MBUF extern int mac_labelmbufs; @@ -88,6 +89,10 @@ void mac_policy_list_busy(void); int mac_policy_list_conditional_busy(void); void mac_policy_list_unbusy(void); +struct label *mac_labelzone_alloc(int flags); +void mac_labelzone_free(struct label *label); +void mac_labelzone_init(void); + void mac_init_label(struct label *label); void mac_destroy_label(struct label *label); int mac_check_structmac_consistent(struct mac *mac); @@ -98,19 +103,18 @@ int mac_allocate_slot(void); * the namespaces, etc, should work for these, so for now, sort by * object type. */ +struct label *mac_pipe_label_alloc(void); +void mac_pipe_label_free(struct label *label); + int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -void mac_destroy_cred_label(struct label *label); -int mac_externalize_cred_label(struct label *label, char *elements, +int mac_externalize_cred_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_cred_label(struct label *label); int mac_internalize_cred_label(struct label *label, char *string); void mac_relabel_cred(struct ucred *cred, struct label *newlabel); void mac_copy_pipe_label(struct label *src, struct label *dest); -void mac_destroy_pipe_label(struct label *label); int mac_externalize_pipe_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_pipe_label(struct label *label); int mac_internalize_pipe_label(struct label *label, char *string); int mac_externalize_vnode_label(struct label *label, char *elements, diff --git a/sys/security/mac/mac_label.c b/sys/security/mac/mac_label.c new file mode 100644 index 000000000000..eedc1dfaa3d9 --- /dev/null +++ b/sys/security/mac/mac_label.c @@ -0,0 +1,97 @@ +/*- + * Copyright (c) 2003 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project in part by Network + * Associates Laboratories, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), + * as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/mac.h> +#include <sys/sysctl.h> +#include <sys/systm.h> + +#include <vm/uma.h> + +#include <security/mac/mac_internal.h> + +uma_zone_t zone_label; + +static void mac_labelzone_ctor(void *mem, int size, void *arg); +static void mac_labelzone_dtor(void *mem, int size, void *arg); + +void +mac_labelzone_init(void) +{ + + zone_label = uma_zcreate("MAC labels", sizeof(struct label), + mac_labelzone_ctor, mac_labelzone_dtor, NULL, NULL, + UMA_ALIGN_PTR, 0); +} + +static void +mac_labelzone_ctor(void *mem, int size, void *arg) +{ + struct label *label; + + KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n")); + label = mem; + bzero(label, sizeof(*label)); + label->l_flags = MAC_FLAG_INITIALIZED; +} + +static void +mac_labelzone_dtor(void *mem, int size, void *arg) +{ + struct label *label; + + KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n")); + label = mem; +#ifdef DIAGNOSTIC + bzero(label, sizeof(*label)); +#else + label->l_flags &= ~MAC_FLAG_INITIALIZED; +#endif +} + +struct label * +mac_labelzone_alloc(int flags) +{ + + return (uma_zalloc(zone_label, flags)); +} + +void +mac_labelzone_free(struct label *label) +{ + + uma_zfree(zone_label, label); +} diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 308231e21192..79503930c0d2 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -91,7 +91,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); #endif -static void mac_destroy_socket_label(struct label *label); +static void mac_socket_label_free(struct label *label); + static struct label * mbuf_to_label(struct mbuf *mbuf) @@ -105,46 +106,70 @@ mbuf_to_label(struct mbuf *mbuf) return (label); } +static struct label * +mac_bpfdesc_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_bpfdesc_label, label); + MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); + return (label); +} + void mac_init_bpfdesc(struct bpf_d *bpf_d) { - mac_init_label(&bpf_d->bd_label); - MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); - MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); + bpf_d->bd_label = mac_bpfdesc_label_alloc(); } -static void -mac_init_ifnet_label(struct label *label) +static struct label * +mac_ifnet_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_ifnet_label, label); MAC_DEBUG_COUNTER_INC(&nmacifnets); + return (label); } void mac_init_ifnet(struct ifnet *ifp) { - mac_init_ifnet_label(&ifp->if_label); + ifp->if_label = mac_ifnet_label_alloc(); } -int -mac_init_ipq(struct ipq *ipq, int flag) +static struct label * +mac_ipq_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(&ipq->ipq_label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); - MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + MAC_CHECK(init_ipq_label, label, flag); if (error) { - MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); - mac_destroy_label(&ipq->ipq_label); - } else { - MAC_DEBUG_COUNTER_INC(&nmacipqs); + MAC_PERFORM(destroy_ipq_label, label); + mac_labelzone_free(label); + return (NULL); } - return (error); + MAC_DEBUG_COUNTER_INC(&nmacipqs); + return (label); +} + +int +mac_init_ipq(struct ipq *ipq, int flag) +{ + + ipq->ipq_label = mac_ipq_label_alloc(flag); + if (ipq->ipq_label == NULL) + return (ENOMEM); + return (0); } int @@ -195,71 +220,85 @@ mac_init_mbuf(struct mbuf *m, int flag) return (0); } -static int -mac_init_socket_label(struct label *label, int flag) +static struct label * +mac_socket_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); MAC_CHECK(init_socket_label, label, flag); if (error) { MAC_PERFORM(destroy_socket_label, label); - mac_destroy_label(label); - } else { - MAC_DEBUG_COUNTER_INC(&nmacsockets); + mac_labelzone_free(label); + return (NULL); } - - return (error); + MAC_DEBUG_COUNTER_INC(&nmacsockets); + return (label); } -static int -mac_init_socket_peer_label(struct label *label, int flag) +static struct label * +mac_socket_peer_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); MAC_CHECK(init_socket_peer_label, label, flag); if (error) { MAC_PERFORM(destroy_socket_peer_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); + return (NULL); } - - return (error); + MAC_DEBUG_COUNTER_INC(&nmacsockets); + return (label); } int -mac_init_socket(struct socket *socket, int flag) +mac_init_socket(struct socket *so, int flag) { - int error; - error = mac_init_socket_label(&socket->so_label, flag); - if (error) - return (error); + so->so_label = mac_socket_label_alloc(flag); + if (so->so_label == NULL) + return (ENOMEM); + so->so_peerlabel = mac_socket_peer_label_alloc(flag); + if (so->so_peerlabel == NULL) { + mac_socket_label_free(so->so_label); + so->so_label = NULL; + return (ENOMEM); + } + return (0); +} - error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); - if (error) - mac_destroy_socket_label(&socket->so_label); +static void +mac_bpfdesc_label_free(struct label *label) +{ - return (error); + MAC_PERFORM(destroy_bpfdesc_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { - MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); - mac_destroy_label(&bpf_d->bd_label); - MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); + mac_bpfdesc_label_free(bpf_d->bd_label); + bpf_d->bd_label = NULL; } static void -mac_destroy_ifnet_label(struct label *label) +mac_ifnet_label_free(struct label *label) { MAC_PERFORM(destroy_ifnet_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacifnets); } @@ -267,16 +306,25 @@ void mac_destroy_ifnet(struct ifnet *ifp) { - mac_destroy_ifnet_label(&ifp->if_label); + mac_ifnet_label_free(ifp->if_label); + ifp->if_label = NULL; +} + +static void +mac_ipq_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_ipq_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacipqs); } void mac_destroy_ipq(struct ipq *ipq) { - MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); - mac_destroy_label(&ipq->ipq_label); - MAC_DEBUG_COUNTER_DEC(&nmacipqs); + mac_ipq_label_free(ipq->ipq_label); + ipq->ipq_label = NULL; } void @@ -292,28 +340,31 @@ mac_destroy_mbuf_tag(struct m_tag *tag) } static void -mac_destroy_socket_label(struct label *label) +mac_socket_label_free(struct label *label) { MAC_PERFORM(destroy_socket_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacsockets); } static void -mac_destroy_socket_peer_label(struct label *label) +mac_socket_peer_label_free(struct label *label) { MAC_PERFORM(destroy_socket_peer_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacsockets); } void mac_destroy_socket(struct socket *socket) { - mac_destroy_socket_label(&socket->so_label); - mac_destroy_socket_peer_label(&socket->so_peerlabel); + mac_socket_label_free(socket->so_label); + socket->so_label = NULL; + mac_socket_peer_label_free(socket->so_peerlabel); + socket->so_peerlabel = NULL; } void @@ -388,21 +439,21 @@ void mac_create_ifnet(struct ifnet *ifnet) { - MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); + MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { - MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); + MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { - MAC_PERFORM(create_socket, cred, socket, &socket->so_label); + MAC_PERFORM(create_socket, cred, socket, socket->so_label); } void @@ -410,8 +461,8 @@ mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { - MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, - newsocket, &newsocket->so_label); + MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label, + newsocket, newsocket->so_label); } static void @@ -419,7 +470,7 @@ mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { - MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); + MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel); } void @@ -430,7 +481,7 @@ mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) label = mbuf_to_label(mbuf); MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket, - &socket->so_peerlabel); + socket->so_peerlabel); } void @@ -439,7 +490,7 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket, { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, - &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); + oldsocket->so_label, newsocket, newsocket->so_peerlabel); } void @@ -449,7 +500,7 @@ mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) label = mbuf_to_label(datagram); - MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, + MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, datagram, label); } @@ -472,7 +523,7 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) label = mbuf_to_label(fragment); - MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label); + MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label); } void @@ -494,7 +545,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, + MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf, label); } @@ -505,7 +556,7 @@ mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, + MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf, label); } @@ -516,7 +567,7 @@ mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, + MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf, label); } @@ -530,7 +581,7 @@ mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, newmbuflabel = mbuf_to_label(newmbuf); MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, - ifnet, &ifnet->if_label, newmbuf, newmbuflabel); + ifnet, ifnet->if_label, newmbuf, newmbuflabel); } void @@ -555,7 +606,7 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq, - &ipq->ipq_label); + ipq->ipq_label); return (result); } @@ -586,7 +637,7 @@ mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) label = mbuf_to_label(fragment); - MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label); + MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label); } void @@ -596,7 +647,7 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, + MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf, label); } @@ -608,8 +659,8 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) if (!mac_enforce_network) return (0); - MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, - &ifnet->if_label); + MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet, + ifnet->if_label); return (error); } @@ -627,7 +678,7 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, + MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, label); return (error); @@ -642,7 +693,7 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket, if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, + MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label, sockaddr); return (error); @@ -657,7 +708,7 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket, if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, + MAC_CHECK(check_socket_connect, cred, socket, socket->so_label, sockaddr); return (error); @@ -674,7 +725,7 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, + MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf, label); return (error); @@ -688,7 +739,7 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); + MAC_CHECK(check_socket_listen, cred, socket, socket->so_label); return (error); } @@ -700,7 +751,7 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + MAC_CHECK(check_socket_receive, cred, so, so->so_label); return (error); } @@ -711,7 +762,7 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, { int error; - MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, + MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label, newlabel); return (error); @@ -725,7 +776,7 @@ mac_check_socket_send(struct ucred *cred, struct socket *so) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_send, cred, so, &so->so_label); + MAC_CHECK(check_socket_send, cred, so, so->so_label); return (error); } @@ -738,7 +789,7 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); + MAC_CHECK(check_socket_visible, cred, socket, socket->so_label); return (error); } @@ -767,7 +818,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_ifnet_label(&ifnet->if_label, elements, + error = mac_externalize_ifnet_label(ifnet->if_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -782,7 +833,7 @@ int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { - struct label intlabel; + struct label *intlabel; struct mac mac; char *buffer; int error; @@ -802,11 +853,11 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, return (error); } - mac_init_ifnet_label(&intlabel); - error = mac_internalize_ifnet_label(&intlabel, buffer); + intlabel = mac_ifnet_label_alloc(); + error = mac_internalize_ifnet_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } @@ -817,20 +868,20 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, */ error = suser_cred(cred, 0); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } - MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, - &intlabel); + MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label, + intlabel); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); + MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (0); } @@ -838,7 +889,7 @@ int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *mac) { - struct label intlabel; + struct label *intlabel; char *buffer; int error; @@ -853,23 +904,23 @@ mac_setsockopt_label_set(struct ucred *cred, struct socket *so, return (error); } - mac_init_socket_label(&intlabel, M_WAITOK); - error = mac_internalize_socket_label(&intlabel, buffer); + intlabel = mac_socket_label_alloc(M_WAITOK); + error = mac_internalize_socket_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (error); } - mac_check_socket_relabel(cred, so, &intlabel); + mac_check_socket_relabel(cred, so, intlabel); if (error) { - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (error); } - mac_relabel_socket(cred, so, &intlabel); + mac_relabel_socket(cred, so, intlabel); - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (0); } @@ -892,7 +943,7 @@ mac_getsockopt_label_get(struct ucred *cred, struct socket *so, } buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_socket_label(&so->so_label, elements, + error = mac_externalize_socket_label(so->so_label, elements, buffer, mac->m_buflen); if (error == 0) error = copyout(buffer, mac->m_string, strlen(buffer)+1); @@ -922,7 +973,7 @@ mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, } buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_socket_peer_label(&so->so_peerlabel, + error = mac_externalize_socket_peer_label(so->so_peerlabel, elements, buffer, mac->m_buflen); if (error == 0) error = copyout(buffer, mac->m_string, strlen(buffer)+1); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index b30ebaf5385b..61633c3bebc4 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -61,34 +61,31 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); #endif -MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); - -void -mac_init_pipe_label(struct label *label) +struct label * +mac_pipe_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_pipe_label, label); MAC_DEBUG_COUNTER_INC(&nmacpipes); + return (label); } void mac_init_pipe(struct pipe *pipe) { - struct label *label; - label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); - pipe->pipe_label = label; - pipe->pipe_peer->pipe_label = label; - mac_init_pipe_label(label); + pipe->pipe_label = pipe->pipe_peer->pipe_label = + mac_pipe_label_alloc(); } void -mac_destroy_pipe_label(struct label *label) +mac_pipe_label_free(struct label *label) { MAC_PERFORM(destroy_pipe_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacpipes); } @@ -96,8 +93,8 @@ void mac_destroy_pipe(struct pipe *pipe) { - mac_destroy_pipe_label(pipe->pipe_label); - free(pipe->pipe_label, M_MACPIPELABEL); + mac_pipe_label_free(pipe->pipe_label); + pipe->pipe_label = NULL; } void diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 769767121036..68d847dcfb4e 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -96,37 +96,48 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); -void -mac_init_cred_label(struct label *label) +struct label * +mac_cred_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_cred_label, label); MAC_DEBUG_COUNTER_INC(&nmaccreds); + return (label); } void mac_init_cred(struct ucred *cred) { - mac_init_cred_label(&cred->cr_label); + cred->cr_label = mac_cred_label_alloc(); +} + +static struct label * +mac_proc_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_proc_label, label); + MAC_DEBUG_COUNTER_INC(&nmacprocs); + return (label); } void mac_init_proc(struct proc *p) { - mac_init_label(&p->p_label); - MAC_PERFORM(init_proc_label, &p->p_label); - MAC_DEBUG_COUNTER_INC(&nmacprocs); + p->p_label = mac_proc_label_alloc(); } void -mac_destroy_cred_label(struct label *label) +mac_cred_label_free(struct label *label) { MAC_PERFORM(destroy_cred_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmaccreds); } @@ -134,16 +145,25 @@ void mac_destroy_cred(struct ucred *cred) { - mac_destroy_cred_label(&cred->cr_label); + mac_cred_label_free(cred->cr_label); + cred->cr_label = NULL; +} + +static void +mac_proc_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_proc_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacprocs); } void mac_destroy_proc(struct proc *p) { - MAC_PERFORM(destroy_proc_label, &p->p_label); - mac_destroy_label(&p->p_label); - MAC_DEBUG_COUNTER_DEC(&nmacprocs); + mac_proc_label_free(p->p_label); + p->p_label = NULL; } int @@ -209,9 +229,9 @@ mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) } int -mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabelstorage) +mac_execve_enter(struct image_params *imgp, struct mac *mac_p) { + struct label *label; struct mac mac; char *buffer; int error; @@ -234,22 +254,24 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p, return (error); } - mac_init_cred_label(execlabelstorage); - error = mac_internalize_cred_label(execlabelstorage, buffer); + label = mac_cred_label_alloc(); + error = mac_internalize_cred_label(label, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_cred_label(execlabelstorage); + mac_cred_label_free(label); return (error); } - imgp->execlabel = execlabelstorage; + imgp->execlabel = label; return (0); } void mac_execve_exit(struct image_params *imgp) { - if (imgp->execlabel != NULL) - mac_destroy_cred_label(imgp->execlabel); + if (imgp->execlabel != NULL) { + mac_cred_label_free(imgp->execlabel); + imgp->execlabel = NULL; + } } /* diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index c45900379dcb..f9adf9bee8d0 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -256,6 +256,7 @@ mac_init(void) LIST_INIT(&mac_static_policy_list); LIST_INIT(&mac_policy_list); + mac_labelzone_init(); mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); cv_init(&mac_policy_cv, "mac_policy_cv"); @@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&tcred->cr_label, elements, + error = mac_externalize_cred_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&td->td_ucred->cr_label, + error = mac_externalize_cred_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -619,7 +620,7 @@ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; - struct label intlabel; + struct label *intlabel; struct proc *p; struct mac mac; char *buffer; @@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) return (error); } - mac_init_cred_label(&intlabel); - error = mac_internalize_cred_label(&intlabel, buffer); + intlabel = mac_cred_label_alloc(); + error = mac_internalize_cred_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_cred_label(&intlabel); - return (error); - } + if (error) + goto out; newcred = crget(); @@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, &intlabel); + mac_relabel_cred(newcred, intlabel); p->p_ucred = newcred; /* @@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crfree(oldcred); out: - mac_destroy_cred_label(&intlabel); + mac_cred_label_free(intlabel); return (error); } @@ -694,7 +693,7 @@ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { char *elements, *buffer; - struct label intlabel; + struct label *intlabel; struct file *fp; struct mac mac; struct vnode *vp; @@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_VNODE: vp = fp->f_vnode; - mac_init_vnode_label(&intlabel); + intlabel = mac_vnode_label_alloc(); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(&vp->v_label, &intlabel); + mac_copy_vnode_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = fp->f_data; - mac_init_pipe_label(&intlabel); + intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_label, &intlabel); + mac_copy_pipe_label(pipe->pipe_label, intlabel); PIPE_UNLOCK(pipe); break; default: @@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: if (error == 0) - error = mac_externalize_vnode_label(&intlabel, + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - error = mac_externalize_pipe_label(&intlabel, elements, + error = mac_externalize_pipe_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: panic("__mac_get_fd: corrupted label_type"); @@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -895,7 +894,7 @@ out: int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { - struct label intlabel; + struct label *intlabel; struct pipe *pipe; struct file *fp; struct mount *mp; @@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); if (error) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vp = fp->f_vnode; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - mac_init_pipe_label(&intlabel); - error = mac_internalize_pipe_label(&intlabel, buffer); + intlabel = mac_pipe_label_alloc(); + error = mac_internalize_pipe_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, - &intlabel); + intlabel); PIPE_UNLOCK(pipe); } - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: @@ -983,7 +982,7 @@ out: int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } @@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) int __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index e5041a29e1eb..14755cf4b388 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -120,7 +120,7 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp) if (!mac_enforce_kld) return (0); - MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + MAC_CHECK(check_kld_load, cred, vp, vp->v_label); return (error); } @@ -176,7 +176,7 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp) return (0); MAC_CHECK(check_system_acct, cred, vp, - vp != NULL ? &vp->v_label : NULL); + vp != NULL ? vp->v_label : NULL); return (error); } @@ -230,7 +230,7 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) if (!mac_enforce_system) return (0); - MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label); + MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); return (error); } @@ -244,7 +244,7 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) if (!mac_enforce_system) return (0); - MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); return (error); } diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 08e78bb98dfd..8d475a538ad9 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -100,68 +100,123 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, static int mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); -void -mac_init_devfsdirent(struct devfs_dirent *de) +static struct label * +mac_devfsdirent_label_alloc(void) { + struct label *label; - mac_init_label(&de->de_label); - MAC_PERFORM(init_devfsdirent_label, &de->de_label); + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_devfsdirent_label, label); MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents); + return (label); } void -mac_init_mount(struct mount *mp) +mac_init_devfsdirent(struct devfs_dirent *de) +{ + + de->de_label = mac_devfsdirent_label_alloc(); +} + +static struct label * +mac_mount_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_mount_label, label); + MAC_DEBUG_COUNTER_INC(&nmacmounts); + return (label); +} + +static struct label * +mac_mount_fs_label_alloc(void) { + struct label *label; - mac_init_label(&mp->mnt_mntlabel); - mac_init_label(&mp->mnt_fslabel); - MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_mount_fs_label, label); MAC_DEBUG_COUNTER_INC(&nmacmounts); + return (label); } void -mac_init_vnode_label(struct label *label) +mac_init_mount(struct mount *mp) +{ + + mp->mnt_mntlabel = mac_mount_label_alloc(); + mp->mnt_fslabel = mac_mount_fs_label_alloc(); +} + +struct label * +mac_vnode_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_vnode_label, label); MAC_DEBUG_COUNTER_INC(&nmacvnodes); + return (label); } void mac_init_vnode(struct vnode *vp) { - mac_init_vnode_label(&vp->v_label); + vp->v_label = mac_vnode_label_alloc(); +} + +static void +mac_devfsdirent_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_devfsdirent_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); } void mac_destroy_devfsdirent(struct devfs_dirent *de) { - MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); - mac_destroy_label(&de->de_label); - MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); + mac_devfsdirent_label_free(de->de_label); + de->de_label = NULL; +} + +static void +mac_mount_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_mount_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacmounts); +} + +static void +mac_mount_fs_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_mount_fs_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacmounts); } void mac_destroy_mount(struct mount *mp) { - MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_mntlabel); - MAC_DEBUG_COUNTER_DEC(&nmacmounts); + mac_mount_fs_label_free(mp->mnt_fslabel); + mp->mnt_fslabel = NULL; + mac_mount_label_free(mp->mnt_mntlabel); + mp->mnt_mntlabel = NULL; } void -mac_destroy_vnode_label(struct label *label) +mac_vnode_label_free(struct label *label) { MAC_PERFORM(destroy_vnode_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacvnodes); } @@ -169,7 +224,8 @@ void mac_destroy_vnode(struct vnode *vp) { - mac_destroy_vnode_label(&vp->v_label); + mac_vnode_label_free(vp->v_label); + vp->v_label = NULL; } void @@ -205,8 +261,8 @@ mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp, - &vp->v_label); + MAC_PERFORM(update_devfsdirent, mp, de, de->de_label, vp, + vp->v_label); } void @@ -214,8 +270,8 @@ mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de, - &de->de_label, vp, &vp->v_label); + MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de, + de->de_label, vp, vp->v_label); } int @@ -225,8 +281,8 @@ mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); - MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp, - &vp->v_label); + MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp, + vp->v_label); return (error); } @@ -235,8 +291,8 @@ void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) { - MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp, - &vp->v_label); + MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp, + vp->v_label); } int @@ -259,8 +315,8 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } else if (error) return (error); - MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel, - dvp, &dvp->v_label, vp, &vp->v_label, cnp); + MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, + dvp, dvp->v_label, vp, vp->v_label, cnp); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -294,7 +350,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } else if (error) return (error); - MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel); + MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -319,7 +375,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return; - MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, + MAC_PERFORM(execve_transition, old, new, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); } @@ -335,7 +391,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, return (0); result = 0; - MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, + MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); return (result); @@ -351,7 +407,7 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode); return (error); } @@ -365,7 +421,7 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label); return (error); } @@ -379,7 +435,7 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label); return (error); } @@ -394,7 +450,7 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); + MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap); return (error); } @@ -410,8 +466,8 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); + MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp, + vp->v_label, cnp); return (error); } @@ -426,7 +482,7 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); + MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type); return (error); } @@ -441,7 +497,7 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); return (error); } @@ -457,7 +513,7 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); return (error); @@ -473,7 +529,7 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); + MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type); return (error); } @@ -488,7 +544,7 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } @@ -505,8 +561,8 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); + MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp, + vp->v_label, cnp); return (error); } @@ -521,7 +577,7 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label, attrnamespace); return (error); } @@ -537,7 +593,7 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); + MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp); return (error); } @@ -551,7 +607,7 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot) if (!mac_enforce_fs || !mac_enforce_vm) return (0); - MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); + MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot); return (error); } @@ -565,7 +621,7 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) if (!mac_enforce_fs || !mac_enforce_vm) return; - MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label, + MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label, &result); *prot = result; @@ -581,7 +637,7 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) if (!mac_enforce_fs || !mac_enforce_vm) return (0); - MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); + MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot); return (error); } @@ -595,7 +651,7 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode); return (error); } @@ -611,7 +667,7 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -628,7 +684,7 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -643,7 +699,7 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label); return (error); } @@ -657,7 +713,7 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label); return (error); } @@ -669,7 +725,7 @@ mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); - MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); + MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel); return (error); } @@ -686,8 +742,8 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); + MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp, + vp->v_label, cnp); return (error); } @@ -703,8 +759,8 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, - vp != NULL ? &vp->v_label : NULL, samedir, cnp); + MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp, + vp != NULL ? vp->v_label : NULL, samedir, cnp); return (error); } @@ -718,7 +774,7 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label); return (error); } @@ -733,7 +789,7 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); + MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl); return (error); } @@ -748,7 +804,7 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } @@ -763,7 +819,7 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); + MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags); return (error); } @@ -777,7 +833,7 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); + MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode); return (error); } @@ -792,7 +848,7 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); + MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid); return (error); } @@ -807,7 +863,7 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, + MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime, mtime); return (error); } @@ -824,7 +880,7 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -840,7 +896,7 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -849,23 +905,23 @@ void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { - MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); + MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel); } void mac_create_mount(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); + MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel, + mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); + MAC_PERFORM(create_root_mount, cred, mp, mp->mnt_mntlabel, + mp->mnt_fslabel); } int @@ -876,7 +932,7 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); + MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel); return (error); } @@ -885,7 +941,7 @@ void mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label); + MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label); } void @@ -893,8 +949,8 @@ mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de, - &de->de_label); + MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de, + de->de_label); } void @@ -903,7 +959,7 @@ mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, { MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, - &de->de_label); + de->de_label); } /* diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index d82584246d1d..768958384010 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -811,11 +811,11 @@ mac_biba_create_devfs_directory(struct mount *mp, char *dirname, static void mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(delabel); mac_biba_copy_single(source, dest); @@ -827,7 +827,7 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_biba_copy_single(source, dest); dest = SLOT(fslabel); @@ -949,7 +949,7 @@ mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, buflen = sizeof(temp); bzero(&temp, buflen); - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(vlabel); mac_biba_copy_single(source, &temp); @@ -1003,7 +1003,7 @@ mac_biba_create_socket(struct ucred *cred, struct socket *socket, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(socketlabel); mac_biba_copy_single(source, dest); @@ -1015,7 +1015,7 @@ mac_biba_create_pipe(struct ucred *cred, struct pipe *pipe, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(pipelabel); mac_biba_copy_single(source, dest); @@ -1092,7 +1092,7 @@ mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(bpflabel); mac_biba_copy_single(source, dest); @@ -1313,8 +1313,8 @@ mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_biba *source, *dest; - source = SLOT(&cred_parent->cr_label); - dest = SLOT(&cred_child->cr_label); + source = SLOT(cred_parent->cr_label); + dest = SLOT(cred_child->cr_label); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); @@ -1325,7 +1325,7 @@ mac_biba_create_proc0(struct ucred *cred) { struct mac_biba *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, @@ -1337,7 +1337,7 @@ mac_biba_create_proc1(struct ucred *cred) { struct mac_biba *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, @@ -1350,7 +1350,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) struct mac_biba *source, *dest; source = SLOT(newlabel); - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_biba_copy(source, dest); } @@ -1381,7 +1381,7 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) struct mac_biba *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1445,8 +1445,8 @@ mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) if (!mac_biba_enabled) return (0); - subj = SLOT(&u1->cr_label); - obj = SLOT(&u2->cr_label); + subj = SLOT(u1->cr_label); + obj = SLOT(u2->cr_label); /* XXX: range */ if (!mac_biba_dominate_single(obj, subj)) @@ -1462,7 +1462,7 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct mac_biba *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1508,7 +1508,7 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1530,7 +1530,7 @@ mac_biba_check_kld_unload(struct ucred *cred) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); return (mac_biba_subject_privileged(subj)); } @@ -1544,7 +1544,7 @@ mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(mntlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -1575,7 +1575,7 @@ mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(obj, subj)) @@ -1593,7 +1593,7 @@ mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(obj, subj)) @@ -1610,7 +1610,7 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(pipelabel); /* @@ -1662,7 +1662,7 @@ mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(obj, subj)) @@ -1680,7 +1680,7 @@ mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(subj, obj)) @@ -1697,8 +1697,8 @@ mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) @@ -1717,8 +1717,8 @@ mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) @@ -1737,8 +1737,8 @@ mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) @@ -1772,7 +1772,7 @@ mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); /* @@ -1824,7 +1824,7 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -1842,7 +1842,7 @@ mac_biba_check_sysarch_ioperm(struct ucred *cred) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1861,7 +1861,7 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1886,7 +1886,7 @@ mac_biba_check_system_settime(struct ucred *cred) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1905,7 +1905,7 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); error = mac_biba_subject_privileged(subj); @@ -1928,7 +1928,7 @@ mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); error = mac_biba_subject_privileged(subj); @@ -1948,7 +1948,7 @@ mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * In general, treat sysctl variables as biba/high, but also @@ -1981,7 +1981,7 @@ mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -1999,7 +1999,7 @@ mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2017,7 +2017,7 @@ mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2036,7 +2036,7 @@ mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2059,7 +2059,7 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2077,7 +2077,7 @@ mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2109,7 +2109,7 @@ mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2127,7 +2127,7 @@ mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2145,7 +2145,7 @@ mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2164,7 +2164,7 @@ mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2187,7 +2187,7 @@ mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2205,7 +2205,7 @@ mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2227,7 +2227,7 @@ mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { @@ -2251,7 +2251,7 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ @@ -2276,7 +2276,7 @@ mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2294,7 +2294,7 @@ mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2312,7 +2312,7 @@ mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2330,7 +2330,7 @@ mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2348,7 +2348,7 @@ mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, old = SLOT(vnodelabel); new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * If there is a Biba label update for the vnode, it must be a @@ -2400,7 +2400,7 @@ mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2424,7 +2424,7 @@ mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2449,7 +2449,7 @@ mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2467,7 +2467,7 @@ mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2486,7 +2486,7 @@ mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2506,7 +2506,7 @@ mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2524,7 +2524,7 @@ mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2542,7 +2542,7 @@ mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2560,7 +2560,7 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2578,7 +2578,7 @@ mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, if (!mac_biba_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2596,7 +2596,7 @@ mac_biba_check_vnode_write(struct ucred *active_cred, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index c6261bfd98e1..be13a479f8ec 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -499,7 +499,7 @@ maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel, struct proc *p; pid_t pgid; - subj = PSLOT(&curthread->td_proc->p_label); + subj = PSLOT(curthread->td_proc->p_label); p = curthread->td_proc; mtx_lock(&subj->mtx); @@ -941,7 +941,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(delabel); mac_lomac_copy_single(source, dest); @@ -953,7 +953,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_lomac_copy_single(source, dest); dest = SLOT(fslabel); @@ -1082,7 +1082,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, buflen = sizeof(temp); bzero(&temp, buflen); - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(vlabel); dir = SLOT(dlabel); if (dir->ml_flags & MAC_LOMAC_FLAG_AUX) { @@ -1142,7 +1142,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *socket, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(socketlabel); mac_lomac_copy_single(source, dest); @@ -1154,7 +1154,7 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipe *pipe, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(pipelabel); mac_lomac_copy_single(source, dest); @@ -1231,7 +1231,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(bpflabel); mac_lomac_copy_single(source, dest); @@ -1453,8 +1453,8 @@ mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_lomac *source, *dest; - source = SLOT(&cred_parent->cr_label); - dest = SLOT(&cred_child->cr_label); + source = SLOT(cred_parent->cr_label); + dest = SLOT(cred_child->cr_label); mac_lomac_copy_single(source, dest); mac_lomac_copy_range(source, dest); @@ -1468,8 +1468,8 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new, { struct mac_lomac *source, *dest, *obj, *robj; - source = SLOT(&old->cr_label); - dest = SLOT(&new->cr_label); + source = SLOT(old->cr_label); + dest = SLOT(new->cr_label); obj = SLOT(vnodelabel); robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj; @@ -1507,7 +1507,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&old->cr_label); + subj = SLOT(old->cr_label); obj = SLOT(vnodelabel); robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj; @@ -1522,7 +1522,7 @@ mac_lomac_create_proc0(struct ucred *cred) { struct mac_lomac *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, @@ -1534,7 +1534,7 @@ mac_lomac_create_proc1(struct ucred *cred) { struct mac_lomac *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0); mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, @@ -1547,7 +1547,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) struct mac_lomac *source, *dest; source = SLOT(newlabel); - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); try_relabel(source, dest); } @@ -1578,7 +1578,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) struct mac_lomac *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1646,8 +1646,8 @@ mac_lomac_check_cred_visible(struct ucred *u1, struct ucred *u2) if (!mac_lomac_enabled) return (0); - subj = SLOT(&u1->cr_label); - obj = SLOT(&u2->cr_label); + subj = SLOT(u1->cr_label); + obj = SLOT(u2->cr_label); /* XXX: range */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1663,7 +1663,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct mac_lomac *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1735,7 +1735,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (mac_lomac_subject_privileged(subj)) @@ -1755,7 +1755,7 @@ mac_lomac_check_kld_unload(struct ucred *cred) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); if (mac_lomac_subject_privileged(subj)) return (EPERM); @@ -1785,7 +1785,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipe *pipe, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_lomac_dominate_single(obj, subj)) @@ -1802,7 +1802,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(pipelabel); /* @@ -1854,7 +1854,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipe *pipe, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_lomac_subject_dominate(subj, obj)) @@ -1871,8 +1871,8 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *proc) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1891,8 +1891,8 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *proc) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1911,8 +1911,8 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1946,7 +1946,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *socket, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); /* @@ -1998,7 +1998,7 @@ mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); if (!mac_lomac_dominate_single(obj, subj)) @@ -2016,7 +2016,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (mac_lomac_subject_privileged(subj)) @@ -2037,7 +2037,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * In general, treat sysctl variables as lomac/high, but also @@ -2071,7 +2071,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2093,7 +2093,7 @@ mac_lomac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2116,7 +2116,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2135,7 +2135,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2162,7 +2162,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & VM_PROT_WRITE) { @@ -2190,7 +2190,7 @@ mac_lomac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & VM_PROT_WRITE) { @@ -2218,7 +2218,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled || !revocation_enabled) return; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2234,7 +2234,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ @@ -2255,7 +2255,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_lomac_dominate_single(obj, subj)) @@ -2273,7 +2273,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, old = SLOT(vnodelabel); new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * If there is a LOMAC label update for the vnode, it must be a @@ -2350,7 +2350,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2374,7 +2374,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2399,7 +2399,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2417,7 +2417,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2436,7 +2436,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2456,7 +2456,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2474,7 +2474,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2492,7 +2492,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2510,7 +2510,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2528,7 +2528,7 @@ mac_lomac_check_vnode_write(struct ucred *active_cred, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2541,7 +2541,7 @@ static void mac_lomac_thread_userret(struct thread *td) { struct proc *p = td->td_proc; - struct mac_lomac_proc *subj = PSLOT(&p->p_label); + struct mac_lomac_proc *subj = PSLOT(p->p_label); struct ucred *newcred, *oldcred; int dodrop; @@ -2568,7 +2568,7 @@ mac_lomac_thread_userret(struct thread *td) oldcred = p->p_ucred; crcopy(newcred, oldcred); crhold(newcred); - mac_lomac_copy(&subj->mac_lomac, SLOT(&newcred->cr_label)); + mac_lomac_copy(&subj->mac_lomac, SLOT(newcred->cr_label)); p->p_ucred = newcred; crfree(oldcred); dodrop = 1; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index eb3c320d274a..69bd3748a737 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -781,11 +781,11 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname, static void mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(delabel); mac_mls_copy_single(source, dest); @@ -797,7 +797,7 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_mls_copy_single(source, dest); dest = SLOT(fslabel); @@ -919,7 +919,7 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, buflen = sizeof(temp); bzero(&temp, buflen); - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(vlabel); mac_mls_copy_single(source, &temp); @@ -973,7 +973,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *socket, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(socketlabel); mac_mls_copy_single(source, dest); @@ -985,7 +985,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipe *pipe, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(pipelabel); mac_mls_copy_single(source, dest); @@ -1062,7 +1062,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(bpflabel); mac_mls_copy_single(source, dest); @@ -1243,8 +1243,8 @@ mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_mls *source, *dest; - source = SLOT(&cred_parent->cr_label); - dest = SLOT(&cred_child->cr_label); + source = SLOT(cred_parent->cr_label); + dest = SLOT(cred_child->cr_label); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); @@ -1255,7 +1255,7 @@ mac_mls_create_proc0(struct ucred *cred) { struct mac_mls *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, @@ -1267,7 +1267,7 @@ mac_mls_create_proc1(struct ucred *cred) { struct mac_mls *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_mls_set_single(dest, MAC_MLS_TYPE_LOW, 0, NULL); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, @@ -1280,7 +1280,7 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) struct mac_mls *source, *dest; source = SLOT(newlabel); - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_mls_copy(source, dest); } @@ -1311,7 +1311,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) struct mac_mls *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1375,8 +1375,8 @@ mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2) if (!mac_mls_enabled) return (0); - subj = SLOT(&u1->cr_label); - obj = SLOT(&u2->cr_label); + subj = SLOT(u1->cr_label); + obj = SLOT(u2->cr_label); /* XXX: range */ if (!mac_mls_dominate_single(subj, obj)) @@ -1392,7 +1392,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct mac_mls *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1435,7 +1435,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(mntlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1466,7 +1466,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(subj, obj)) @@ -1484,7 +1484,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(subj, obj)) @@ -1501,7 +1501,7 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(pipelabel); /* @@ -1553,7 +1553,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(subj, obj)) @@ -1571,7 +1571,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(obj, subj)) @@ -1588,8 +1588,8 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) @@ -1608,8 +1608,8 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc) if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) @@ -1628,8 +1628,8 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) @@ -1663,7 +1663,7 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); /* @@ -1715,7 +1715,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1733,7 +1733,7 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj) || @@ -1752,7 +1752,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1770,7 +1770,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1788,7 +1788,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -1807,7 +1807,7 @@ mac_mls_check_vnode_delete(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -1830,7 +1830,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -1848,7 +1848,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -1880,7 +1880,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1898,7 +1898,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1916,7 +1916,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1935,7 +1935,7 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -1958,7 +1958,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1976,7 +1976,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1998,7 +1998,7 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { @@ -2022,7 +2022,7 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ @@ -2047,7 +2047,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -2065,7 +2065,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -2083,7 +2083,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -2101,7 +2101,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(subj, obj)) @@ -2119,7 +2119,7 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, old = SLOT(vnodelabel); new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * If there is an MLS label update for the vnode, it must be a @@ -2172,7 +2172,7 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2196,7 +2196,7 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2221,7 +2221,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -2239,7 +2239,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -2258,7 +2258,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2278,7 +2278,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2296,7 +2296,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2314,7 +2314,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2332,7 +2332,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2350,7 +2350,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(subj, obj)) @@ -2368,7 +2368,7 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index ed5bc2eca710..74df98c7c943 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -134,21 +134,21 @@ static void mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { - SLOT(&cred_child->cr_label) = SLOT(&cred_parent->cr_label); + SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label); } static void mac_partition_create_proc0(struct ucred *cred) { - SLOT(&cred->cr_label) = 0; + SLOT(cred->cr_label) = 0; } static void mac_partition_create_proc1(struct ucred *cred) { - SLOT(&cred->cr_label) = 0; + SLOT(cred->cr_label) = 0; } static void @@ -156,7 +156,7 @@ mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel) { if (SLOT(newlabel) != 0) - SLOT(&cred->cr_label) = SLOT(newlabel); + SLOT(cred->cr_label) = SLOT(newlabel); } static int @@ -201,7 +201,7 @@ mac_partition_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; - error = label_on_label(&u1->cr_label, &u2->cr_label); + error = label_on_label(u1->cr_label, u2->cr_label); return (error == 0 ? 0 : ESRCH); } @@ -211,7 +211,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + error = label_on_label(cred->cr_label, proc->p_ucred->cr_label); return (error ? ESRCH : 0); } @@ -221,7 +221,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + error = label_on_label(cred->cr_label, proc->p_ucred->cr_label); return (error ? ESRCH : 0); } @@ -232,7 +232,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *proc, { int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + error = label_on_label(cred->cr_label, proc->p_ucred->cr_label); return (error ? ESRCH : 0); } @@ -243,7 +243,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket, { int error; - error = label_on_label(&cred->cr_label, socketlabel); + error = label_on_label(cred->cr_label, socketlabel); return (error ? ENOENT : 0); } diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 1aafa92d5123..322667944b44 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -635,7 +635,7 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct label *delabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_DEVFS_LABEL(ddlabel); ASSERT_DEVFS_LABEL(delabel); } @@ -646,7 +646,7 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *vp, struct label *vlabel, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(fslabel); ASSERT_VNODE_LABEL(dlabel); @@ -658,7 +658,7 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(mntlabel); ASSERT_MOUNT_LABEL(fslabel); } @@ -668,7 +668,7 @@ mac_test_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(mntlabel); ASSERT_MOUNT_LABEL(fslabel); } @@ -678,7 +678,7 @@ mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vnodelabel); ASSERT_VNODE_LABEL(label); } @@ -688,7 +688,7 @@ mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *vlabel, struct label *intlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vlabel); ASSERT_VNODE_LABEL(intlabel); return (0); @@ -721,7 +721,7 @@ mac_test_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); } @@ -730,7 +730,7 @@ mac_test_create_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); } @@ -749,7 +749,7 @@ mac_test_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(newlabel); } @@ -758,7 +758,7 @@ mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); ASSERT_PIPE_LABEL(newlabel); } @@ -790,7 +790,7 @@ mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_BPF_LABEL(bpflabel); } @@ -916,7 +916,7 @@ mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_IFNET_LABEL(ifnetlabel); ASSERT_IFNET_LABEL(newlabel); } @@ -937,8 +937,8 @@ static void mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { - ASSERT_CRED_LABEL(&cred_parent->cr_label); - ASSERT_CRED_LABEL(&cred_child->cr_label); + ASSERT_CRED_LABEL(cred_parent->cr_label); + ASSERT_CRED_LABEL(cred_child->cr_label); } static void @@ -948,8 +948,8 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new, struct label *execlabel) { - ASSERT_CRED_LABEL(&old->cr_label); - ASSERT_CRED_LABEL(&new->cr_label); + ASSERT_CRED_LABEL(old->cr_label); + ASSERT_CRED_LABEL(new->cr_label); ASSERT_VNODE_LABEL(filelabel); ASSERT_VNODE_LABEL(interpvnodelabel); if (execlabel != NULL) { @@ -963,7 +963,7 @@ mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, struct image_params *imgp, struct label *execlabel) { - ASSERT_CRED_LABEL(&old->cr_label); + ASSERT_CRED_LABEL(old->cr_label); ASSERT_VNODE_LABEL(filelabel); if (interpvnodelabel != NULL) { ASSERT_VNODE_LABEL(interpvnodelabel); @@ -979,21 +979,21 @@ static void mac_test_create_proc0(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); } static void mac_test_create_proc1(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); } static void mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(newlabel); } @@ -1023,7 +1023,7 @@ static int mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_CRED_LABEL(newlabel); return (0); @@ -1033,8 +1033,8 @@ static int mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) { - ASSERT_CRED_LABEL(&u1->cr_label); - ASSERT_CRED_LABEL(&u2->cr_label); + ASSERT_CRED_LABEL(u1->cr_label); + ASSERT_CRED_LABEL(u2->cr_label); return (0); } @@ -1044,7 +1044,7 @@ mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_IFNET_LABEL(ifnetlabel); ASSERT_IFNET_LABEL(newlabel); return (0); @@ -1074,7 +1074,7 @@ static int mac_test_check_kenv_get(struct ucred *cred, char *name) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1083,7 +1083,7 @@ static int mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1092,7 +1092,7 @@ static int mac_test_check_kenv_unset(struct ucred *cred, char *name) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1102,7 +1102,7 @@ mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1112,7 +1112,7 @@ static int mac_test_check_kld_stat(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1121,7 +1121,7 @@ static int mac_test_check_kld_unload(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1131,7 +1131,7 @@ mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(mntlabel); return (0); @@ -1142,7 +1142,7 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1153,7 +1153,7 @@ mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1164,7 +1164,7 @@ mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1175,7 +1175,7 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); ASSERT_PIPE_LABEL(newlabel); @@ -1187,7 +1187,7 @@ mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1198,7 +1198,7 @@ mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1208,8 +1208,8 @@ static int mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) { - ASSERT_CRED_LABEL(&cred->cr_label); - ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_CRED_LABEL(proc->p_ucred->cr_label); return (0); } @@ -1218,8 +1218,8 @@ static int mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) { - ASSERT_CRED_LABEL(&cred->cr_label); - ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_CRED_LABEL(proc->p_ucred->cr_label); return (0); } @@ -1228,8 +1228,8 @@ static int mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { - ASSERT_CRED_LABEL(&cred->cr_label); - ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_CRED_LABEL(proc->p_ucred->cr_label); return (0); } @@ -1239,7 +1239,7 @@ mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1250,7 +1250,7 @@ mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1272,7 +1272,7 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, struct label *socketlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1283,7 +1283,7 @@ mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1294,7 +1294,7 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); ASSERT_SOCKET_LABEL(newlabel); @@ -1305,7 +1305,7 @@ static int mac_test_check_sysarch_ioperm(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1315,7 +1315,7 @@ mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1324,7 +1324,7 @@ static int mac_test_check_system_reboot(struct ucred *cred, int how) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1333,7 +1333,7 @@ static int mac_test_check_system_settime(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1343,7 +1343,7 @@ mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1354,7 +1354,7 @@ mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1365,7 +1365,7 @@ mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1375,7 +1375,7 @@ mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1386,7 +1386,7 @@ mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1397,7 +1397,7 @@ mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1408,7 +1408,7 @@ mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1420,7 +1420,7 @@ mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); ASSERT_VNODE_LABEL(label); @@ -1432,7 +1432,7 @@ mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1443,7 +1443,7 @@ mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1455,7 +1455,7 @@ mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *execlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); if (execlabel != NULL) { ASSERT_CRED_LABEL(execlabel); @@ -1469,7 +1469,7 @@ mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1480,7 +1480,7 @@ mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1492,7 +1492,7 @@ mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); ASSERT_VNODE_LABEL(label); @@ -1504,7 +1504,7 @@ mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1515,7 +1515,7 @@ mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1526,7 +1526,7 @@ mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, struct label *label, int prot) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1537,7 +1537,7 @@ mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, struct label *label, int prot) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1548,7 +1548,7 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, int acc_mode) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(filelabel); return (0); @@ -1559,8 +1559,8 @@ mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1571,9 +1571,9 @@ mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); if (file_cred != NULL) { - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); } ASSERT_VNODE_LABEL(label); @@ -1585,7 +1585,7 @@ mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1596,7 +1596,7 @@ mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vnodelabel); return (0); @@ -1607,7 +1607,7 @@ mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vnodelabel); ASSERT_VNODE_LABEL(newlabel); @@ -1620,7 +1620,7 @@ mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); ASSERT_VNODE_LABEL(label); @@ -1633,7 +1633,7 @@ mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); if (vp != NULL) { @@ -1648,7 +1648,7 @@ mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1659,7 +1659,7 @@ mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1670,7 +1670,7 @@ mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1681,7 +1681,7 @@ mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1692,7 +1692,7 @@ mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1703,7 +1703,7 @@ mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1714,7 +1714,7 @@ mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1725,9 +1725,9 @@ mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); if (file_cred != NULL) { - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); } ASSERT_VNODE_LABEL(label); @@ -1739,9 +1739,9 @@ mac_test_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); if (file_cred != NULL) { - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); } ASSERT_VNODE_LABEL(label); diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 7955c25aa611..1dc6bf111fae 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -144,7 +144,6 @@ int mac_init_mbuf_tag(struct m_tag *, int flag); void mac_init_mount(struct mount *); void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); -void mac_init_vnode_label(struct label *); void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); void mac_copy_vnode_label(struct label *, struct label *label); void mac_destroy_bpfdesc(struct bpf_d *); @@ -158,7 +157,12 @@ void mac_destroy_proc(struct proc *); void mac_destroy_mbuf_tag(struct m_tag *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); -void mac_destroy_vnode_label(struct label *); + +struct label *mac_cred_label_alloc(void); +void mac_cred_label_free(struct label *label); +struct label *mac_vnode_label_alloc(void); +void mac_vnode_label_free(struct label *label); +void mac_destroy_vnode_label(struct label *); /* * Labeling event operations: file system objects, and things that @@ -220,8 +224,7 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); -int mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabel); +int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *interpvnodelabel, diff --git a/sys/sys/mount.h b/sys/sys/mount.h index 49d27991b65b..61aeb8452829 100644 --- a/sys/sys/mount.h +++ b/sys/sys/mount.h @@ -41,7 +41,6 @@ #include <sys/queue.h> #ifdef _KERNEL #include <sys/lockmgr.h> -#include <sys/_label.h> #include <sys/_lock.h> #include <sys/_mutex.h> #endif @@ -145,8 +144,8 @@ struct mount { time_t mnt_time; /* last time written*/ int mnt_iosize_max; /* max size for clusters, etc */ struct netexport *mnt_export; /* export list */ - struct label mnt_mntlabel; /* MAC label for the mount */ - struct label mnt_fslabel; /* MAC label for the fs */ + struct label *mnt_mntlabel; /* MAC label for the mount */ + struct label *mnt_fslabel; /* MAC label for the fs */ int mnt_nvnodelistsize; /* # of vnodes on this mount */ }; diff --git a/sys/sys/pipe.h b/sys/sys/pipe.h index 93103f6905e4..bdb9104d1454 100644 --- a/sys/sys/pipe.h +++ b/sys/sys/pipe.h @@ -28,7 +28,6 @@ #include <sys/time.h> /* for struct timespec */ #include <sys/selinfo.h> /* for struct selinfo */ #include <vm/vm.h> /* for vm_page_t */ -#include <sys/_label.h> /* for struct label */ #include <machine/param.h> /* for PAGE_SIZE */ #endif diff --git a/sys/sys/proc.h b/sys/sys/proc.h index 70632f8906ee..792abba82fed 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -55,7 +55,6 @@ #include <sys/runq.h> #include <sys/sigio.h> #include <sys/signal.h> -#include <sys/_label.h> #ifndef _KERNEL #include <sys/time.h> /* For structs itimerval, timeval. */ #else @@ -616,7 +615,7 @@ struct proc { struct proc *p_peers; /* (r) */ struct proc *p_leader; /* (b) */ void *p_emuldata; /* (c) Emulator state data. */ - struct label p_label; /* (*) Process (not subject) MAC label */ + struct label *p_label; /* (*) Proc (not subject) MAC label. */ struct p_sched *p_sched; /* (*) Scheduler-specific data. */ }; diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index 2b0a0cb1511b..1277c2b1a773 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -37,7 +37,6 @@ #ifndef _SYS_SOCKETVAR_H_ #define _SYS_SOCKETVAR_H_ -#include <sys/_label.h> /* for struct label */ #include <sys/queue.h> /* for TAILQ macros */ #include <sys/selinfo.h> /* for struct selinfo */ @@ -128,8 +127,8 @@ struct socket { void (*so_upcall)(struct socket *, void *, int); void *so_upcallarg; struct ucred *so_cred; /* user credentials */ - struct label so_label; /* MAC label for socket */ - struct label so_peerlabel; /* cached MAC label for socket peer */ + struct label *so_label; /* MAC label for socket */ + struct label *so_peerlabel; /* cached MAC label for socket peer */ /* NB: generation count must not be first; easiest to make it last. */ so_gen_t so_gencnt; /* generation count */ void *so_emuldata; /* private data for emulators */ diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h index 448d5c3ad9a4..e8f38bf705ee 100644 --- a/sys/sys/ucred.h +++ b/sys/sys/ucred.h @@ -44,7 +44,6 @@ * Only the suser() or suser_cred() function should be used for this. */ #if defined(_KERNEL) || defined(_WANT_UCRED) -#include <sys/_label.h> struct ucred { u_int cr_ref; /* reference count */ @@ -60,7 +59,7 @@ struct ucred { struct uidinfo *cr_ruidinfo; /* per ruid resource consumption */ struct prison *cr_prison; /* jail(2) */ #define cr_endcopy cr_label - struct label cr_label; /* MAC label */ + struct label *cr_label; /* MAC label */ struct mtx *cr_mtxp; /* protect refcount */ }; #define NOCRED ((struct ucred *)0) /* no credential available */ diff --git a/sys/sys/vnode.h b/sys/sys/vnode.h index 1c91c9442a51..1d85ba5d45b7 100644 --- a/sys/sys/vnode.h +++ b/sys/sys/vnode.h @@ -44,7 +44,6 @@ #include <sys/lockmgr.h> #include <sys/queue.h> -#include <sys/_label.h> #include <sys/_lock.h> #include <sys/lock.h> #include <sys/_mutex.h> @@ -153,7 +152,7 @@ struct vnode { struct vnode *v_dd; /* c .. vnode */ u_long v_ddid; /* c .. capability identifier */ struct vpollinfo *v_pollinfo; /* p Poll events */ - struct label v_label; /* MAC label for vnode */ + struct label *v_label; /* MAC label for vnode */ #ifdef DEBUG_LOCKS const char *filename; /* Source file doing locking */ int line; /* Line number doing locking */ |