mirror of
https://git.FreeBSD.org/src.git
synced 2024-11-27 08:00:11 +00:00
Rename MAC Framework-internal macros used to invoke policy entry points:
MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project
This commit is contained in:
parent
2f369c9496
commit
fa76567150
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=191731
@ -64,7 +64,7 @@ mac_netatalk_aarp_send(struct ifnet *ifp, struct mbuf *m)
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM_NOSLEEP(netatalk_aarp_send, ifp, ifp->if_label, m,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netatalk_aarp_send, ifp, ifp->if_label, m,
|
||||
mlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
@ -66,7 +66,7 @@ mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setaudit, cred, ai);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit, cred, ai);
|
||||
MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai);
|
||||
|
||||
return (error);
|
||||
@ -80,7 +80,7 @@ mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setaudit_addr, cred, aia);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit_addr, cred, aia);
|
||||
MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia);
|
||||
|
||||
return (error);
|
||||
@ -93,7 +93,7 @@ mac_cred_check_setauid(struct ucred *cred, uid_t auid)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setauid, cred, auid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setauid, cred, auid);
|
||||
MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid);
|
||||
|
||||
return (error);
|
||||
@ -107,7 +107,7 @@ mac_system_check_audit(struct ucred *cred, void *record, int length)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(system_check_audit, cred, record, length);
|
||||
MAC_POLICY_CHECK_NOSLEEP(system_check_audit, cred, record, length);
|
||||
MAC_CHECK_PROBE3(system_check_audit, error, cred, record, length);
|
||||
|
||||
return (error);
|
||||
@ -125,7 +125,7 @@ mac_system_check_auditctl(struct ucred *cred, struct vnode *vp)
|
||||
ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl");
|
||||
|
||||
vl = (vp != NULL) ? vp->v_label : NULL;
|
||||
MAC_CHECK(system_check_auditctl, cred, vp, vl);
|
||||
MAC_POLICY_CHECK(system_check_auditctl, cred, vp, vl);
|
||||
MAC_CHECK_PROBE2(system_check_auditctl, error, cred, vp);
|
||||
|
||||
return (error);
|
||||
@ -138,7 +138,7 @@ mac_system_check_auditon(struct ucred *cred, int cmd)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(system_check_auditon, cred, cmd);
|
||||
MAC_POLICY_CHECK_NOSLEEP(system_check_auditon, cred, cmd);
|
||||
MAC_CHECK_PROBE2(system_check_auditon, error, cred, cmd);
|
||||
|
||||
return (error);
|
||||
|
@ -82,7 +82,7 @@ mac_cred_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(cred_init_label, label);
|
||||
MAC_POLICY_PERFORM(cred_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -100,7 +100,7 @@ void
|
||||
mac_cred_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(cred_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -127,7 +127,7 @@ void
|
||||
mac_cred_associate_nfsd(struct ucred *cred)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(cred_associate_nfsd, cred);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -138,7 +138,7 @@ void
|
||||
mac_cred_create_swapper(struct ucred *cred)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(cred_create_swapper, cred);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -149,7 +149,7 @@ void
|
||||
mac_cred_create_init(struct ucred *cred)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(cred_create_init, cred);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred);
|
||||
}
|
||||
|
||||
int
|
||||
@ -158,7 +158,7 @@ mac_cred_externalize_label(struct label *label, char *elements,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
|
||||
MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -168,7 +168,7 @@ mac_cred_internalize_label(struct label *label, char *string)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_INTERNALIZE(cred, label, string);
|
||||
MAC_POLICY_INTERNALIZE(cred, label, string);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -182,7 +182,8 @@ void
|
||||
mac_cred_copy(struct ucred *src, struct ucred *dest)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, dest->cr_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label,
|
||||
dest->cr_label);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -194,7 +195,7 @@ void
|
||||
mac_cred_relabel(struct ucred *cred, struct label *newlabel)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(cred_relabel, cred, newlabel);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *",
|
||||
@ -205,7 +206,7 @@ mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel);
|
||||
MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel);
|
||||
|
||||
return (error);
|
||||
@ -218,7 +219,7 @@ mac_cred_check_setuid(struct ucred *cred, uid_t uid)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setuid, cred, uid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid);
|
||||
MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid);
|
||||
|
||||
return (error);
|
||||
@ -231,7 +232,7 @@ mac_cred_check_seteuid(struct ucred *cred, uid_t euid)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_seteuid, cred, euid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid);
|
||||
MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid);
|
||||
|
||||
return (error);
|
||||
@ -244,7 +245,7 @@ mac_cred_check_setgid(struct ucred *cred, gid_t gid)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setgid, cred, gid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid);
|
||||
MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid);
|
||||
|
||||
return (error);
|
||||
@ -257,7 +258,7 @@ mac_cred_check_setegid(struct ucred *cred, gid_t egid)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setegid, cred, egid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid);
|
||||
MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid);
|
||||
|
||||
return (error);
|
||||
@ -271,7 +272,7 @@ mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset);
|
||||
MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset);
|
||||
|
||||
return (error);
|
||||
@ -285,7 +286,7 @@ mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid);
|
||||
MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid);
|
||||
|
||||
return (error);
|
||||
@ -299,7 +300,7 @@ mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid);
|
||||
MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid);
|
||||
|
||||
return (error);
|
||||
@ -314,7 +315,7 @@ mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid);
|
||||
MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid,
|
||||
suid);
|
||||
|
||||
@ -330,7 +331,7 @@ mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid);
|
||||
MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid,
|
||||
sgid);
|
||||
|
||||
@ -345,7 +346,7 @@ mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(cred_check_visible, cr1, cr2);
|
||||
MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2);
|
||||
MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2);
|
||||
|
||||
return (error);
|
||||
|
@ -85,11 +85,11 @@ mac_inpcb_label_alloc(int flag)
|
||||
if (label == NULL)
|
||||
return (NULL);
|
||||
if (flag & M_WAITOK)
|
||||
MAC_CHECK(inpcb_init_label, label, flag);
|
||||
MAC_POLICY_CHECK(inpcb_init_label, label, flag);
|
||||
else
|
||||
MAC_CHECK_NOSLEEP(inpcb_init_label, label, flag);
|
||||
MAC_POLICY_CHECK_NOSLEEP(inpcb_init_label, label, flag);
|
||||
if (error) {
|
||||
MAC_PERFORM_NOSLEEP(inpcb_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
return (NULL);
|
||||
}
|
||||
@ -120,11 +120,11 @@ mac_ipq_label_alloc(int flag)
|
||||
return (NULL);
|
||||
|
||||
if (flag & M_WAITOK)
|
||||
MAC_CHECK(ipq_init_label, label, flag);
|
||||
MAC_POLICY_CHECK(ipq_init_label, label, flag);
|
||||
else
|
||||
MAC_CHECK_NOSLEEP(ipq_init_label, label, flag);
|
||||
MAC_POLICY_CHECK_NOSLEEP(ipq_init_label, label, flag);
|
||||
if (error) {
|
||||
MAC_PERFORM_NOSLEEP(ipq_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
return (NULL);
|
||||
}
|
||||
@ -148,7 +148,7 @@ static void
|
||||
mac_inpcb_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(inpcb_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -166,7 +166,7 @@ static void
|
||||
mac_ipq_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ipq_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -184,7 +184,7 @@ void
|
||||
mac_inpcb_create(struct socket *so, struct inpcb *inp)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(inpcb_create, so, so->so_label, inp,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(inpcb_create, so, so->so_label, inp,
|
||||
inp->inp_label);
|
||||
}
|
||||
|
||||
@ -195,7 +195,8 @@ mac_ipq_reassemble(struct ipq *q, struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m,
|
||||
label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -206,7 +207,8 @@ mac_netinet_fragment(struct mbuf *m, struct mbuf *frag)
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
fraglabel = mac_mbuf_to_label(frag);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(netinet_fragment, m, mlabel, frag, fraglabel);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_fragment, m, mlabel, frag,
|
||||
fraglabel);
|
||||
}
|
||||
|
||||
void
|
||||
@ -216,7 +218,7 @@ mac_ipq_create(struct mbuf *m, struct ipq *q)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -227,7 +229,7 @@ mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m)
|
||||
INP_LOCK_ASSERT(inp);
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m,
|
||||
mlabel);
|
||||
}
|
||||
|
||||
@ -240,7 +242,7 @@ mac_ipq_match(struct mbuf *m, struct ipq *q)
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
result = 1;
|
||||
MAC_BOOLEAN_NOSLEEP(ipq_match, &&, m, label, q, q->ipq_label);
|
||||
MAC_POLICY_BOOLEAN_NOSLEEP(ipq_match, &&, m, label, q, q->ipq_label);
|
||||
|
||||
return (result);
|
||||
}
|
||||
@ -253,7 +255,8 @@ mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m)
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m, mlabel);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m,
|
||||
mlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
@ -265,8 +268,8 @@ mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend)
|
||||
mrecvlabel = mac_mbuf_to_label(mrecv);
|
||||
msendlabel = mac_mbuf_to_label(msend);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(netinet_icmp_reply, mrecv, mrecvlabel, msend,
|
||||
msendlabel);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_reply, mrecv, mrecvlabel,
|
||||
msend, msendlabel);
|
||||
}
|
||||
|
||||
void
|
||||
@ -276,7 +279,7 @@ mac_netinet_icmp_replyinplace(struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -287,7 +290,7 @@ mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m)
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m,
|
||||
mlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
@ -299,7 +302,7 @@ mac_netinet_tcp_reply(struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(netinet_tcp_reply, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_tcp_reply, m, label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -309,7 +312,7 @@ mac_ipq_update(struct mbuf *m, struct ipq *q)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE2(inpcb_check_deliver, "struct inpcb *",
|
||||
@ -325,7 +328,7 @@ mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m,
|
||||
MAC_POLICY_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m,
|
||||
label);
|
||||
MAC_CHECK_PROBE2(inpcb_check_deliver, error, inp, m);
|
||||
|
||||
@ -342,7 +345,8 @@ mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp)
|
||||
|
||||
INP_LOCK_ASSERT(inp);
|
||||
|
||||
MAC_CHECK_NOSLEEP(inpcb_check_visible, cred, inp, inp->inp_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(inpcb_check_visible, cred, inp,
|
||||
inp->inp_label);
|
||||
MAC_CHECK_PROBE2(inpcb_check_visible, error, cred, inp);
|
||||
|
||||
return (error);
|
||||
@ -355,7 +359,7 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
|
||||
INP_WLOCK_ASSERT(inp);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(inpcb_sosetlabel, so, so->so_label, inp,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(inpcb_sosetlabel, so, so->so_label, inp,
|
||||
inp->inp_label);
|
||||
}
|
||||
|
||||
@ -370,8 +374,8 @@ mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend)
|
||||
mrecvlabel = mac_mbuf_to_label(mrecv);
|
||||
msendlabel = mac_mbuf_to_label(msend);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(netinet_firewall_reply, mrecv, mrecvlabel, msend,
|
||||
msendlabel);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_reply, mrecv, mrecvlabel,
|
||||
msend, msendlabel);
|
||||
}
|
||||
|
||||
void
|
||||
@ -383,7 +387,7 @@ mac_netinet_firewall_send(struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(netinet_firewall_send, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_send, m, label);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -400,7 +404,7 @@ mac_syncache_destroy(struct label **label)
|
||||
{
|
||||
|
||||
if (*label != NULL) {
|
||||
MAC_PERFORM_NOSLEEP(syncache_destroy_label, *label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label, *label);
|
||||
mac_labelzone_free(*label);
|
||||
*label = NULL;
|
||||
}
|
||||
@ -422,9 +426,11 @@ mac_syncache_init(struct label **label)
|
||||
* MAC_PERFORM so we can propagate allocation failures back
|
||||
* to the syncache code.
|
||||
*/
|
||||
MAC_CHECK_NOSLEEP(syncache_init_label, *label, M_NOWAIT);
|
||||
MAC_POLICY_CHECK_NOSLEEP(syncache_init_label, *label,
|
||||
M_NOWAIT);
|
||||
if (error) {
|
||||
MAC_PERFORM_NOSLEEP(syncache_destroy_label, *label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label,
|
||||
*label);
|
||||
mac_labelzone_free(*label);
|
||||
}
|
||||
return (error);
|
||||
@ -439,7 +445,7 @@ mac_syncache_create(struct label *label, struct inpcb *inp)
|
||||
|
||||
INP_WLOCK_ASSERT(inp);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(syncache_create, label, inp);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(syncache_create, label, inp);
|
||||
}
|
||||
|
||||
void
|
||||
@ -451,5 +457,6 @@ mac_syncache_create_mbuf(struct label *sc_label, struct mbuf *m)
|
||||
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m, mlabel);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m,
|
||||
mlabel);
|
||||
}
|
||||
|
@ -71,11 +71,11 @@ mac_ip6q_label_alloc(int flag)
|
||||
return (NULL);
|
||||
|
||||
if (flag & M_WAITOK)
|
||||
MAC_CHECK(ip6q_init_label, label, flag);
|
||||
MAC_POLICY_CHECK(ip6q_init_label, label, flag);
|
||||
else
|
||||
MAC_CHECK_NOSLEEP(ip6q_init_label, label, flag);
|
||||
MAC_POLICY_CHECK_NOSLEEP(ip6q_init_label, label, flag);
|
||||
if (error) {
|
||||
MAC_PERFORM_NOSLEEP(ip6q_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
return (NULL);
|
||||
}
|
||||
@ -99,7 +99,7 @@ static void
|
||||
mac_ip6q_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ip6q_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -120,7 +120,8 @@ mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m,
|
||||
label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -130,7 +131,8 @@ mac_ip6q_create(struct mbuf *m, struct ip6q *q6)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ip6q_create, m, label, q6, q6->ip6q_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ip6q_create, m, label, q6,
|
||||
q6->ip6q_label);
|
||||
}
|
||||
|
||||
int
|
||||
@ -142,7 +144,8 @@ mac_ip6q_match(struct mbuf *m, struct ip6q *q6)
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
result = 1;
|
||||
MAC_BOOLEAN_NOSLEEP(ip6q_match, &&, m, label, q6, q6->ip6q_label);
|
||||
MAC_POLICY_BOOLEAN_NOSLEEP(ip6q_match, &&, m, label, q6,
|
||||
q6->ip6q_label);
|
||||
|
||||
return (result);
|
||||
}
|
||||
@ -154,7 +157,8 @@ mac_ip6q_update(struct mbuf *m, struct ip6q *q6)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ip6q_update, m, label, q6, q6->ip6q_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ip6q_update, m, label, q6,
|
||||
q6->ip6q_label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -164,6 +168,6 @@ mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m)
|
||||
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
|
||||
mlabel);
|
||||
}
|
||||
|
@ -257,11 +257,11 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
* specific entry point. They come in two forms: one which permits policies
|
||||
* to sleep/block, and another that does not.
|
||||
*
|
||||
* MAC_CHECK performs the designated check by walking the policy module list
|
||||
* and checking with each as to how it feels about the request. Note that it
|
||||
* returns its value via 'error' in the scope of the caller.
|
||||
* MAC_POLICY_CHECK performs the designated check by walking the policy
|
||||
* module list and checking with each as to how it feels about the request.
|
||||
* Note that it returns its value via 'error' in the scope of the caller.
|
||||
*/
|
||||
#define MAC_CHECK(check, args...) do { \
|
||||
#define MAC_POLICY_CHECK(check, args...) do { \
|
||||
struct mac_policy_conf *mpc; \
|
||||
\
|
||||
error = 0; \
|
||||
@ -283,7 +283,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
#define MAC_CHECK_NOSLEEP(check, args...) do { \
|
||||
#define MAC_POLICY_CHECK_NOSLEEP(check, args...) do { \
|
||||
struct mac_policy_conf *mpc; \
|
||||
\
|
||||
error = 0; \
|
||||
@ -306,13 +306,13 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} while (0)
|
||||
|
||||
/*
|
||||
* MAC_GRANT performs the designated check by walking the policy module list
|
||||
* and checking with each as to how it feels about the request. Unlike
|
||||
* MAC_CHECK, it grants if any policies return '0', and otherwise returns
|
||||
* EPERM. Note that it returns its value via 'error' in the scope of the
|
||||
* caller.
|
||||
* MAC_POLICY_GRANT performs the designated check by walking the policy
|
||||
* module list and checking with each as to how it feels about the request.
|
||||
* Unlike MAC_POLICY_CHECK, it grants if any policies return '0', and
|
||||
* otherwise returns EPERM. Note that it returns its value via 'error' in
|
||||
* the scope of the caller.
|
||||
*/
|
||||
#define MAC_GRANT_NOSLEEP(check, args...) do { \
|
||||
#define MAC_POLICY_GRANT_NOSLEEP(check, args...) do { \
|
||||
struct mac_policy_conf *mpc; \
|
||||
\
|
||||
error = EPERM; \
|
||||
@ -336,13 +336,13 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} while (0)
|
||||
|
||||
/*
|
||||
* MAC_BOOLEAN performs the designated boolean composition by walking the
|
||||
* module list, invoking each instance of the operation, and combining the
|
||||
* results using the passed C operator. Note that it returns its value via
|
||||
* 'result' in the scope of the caller, which should be initialized by the
|
||||
* caller in a meaningful way to get a meaningful result.
|
||||
* MAC_POLICY_BOOLEAN performs the designated boolean composition by walking
|
||||
* the module list, invoking each instance of the operation, and combining
|
||||
* the results using the passed C operator. Note that it returns its value
|
||||
* via 'result' in the scope of the caller, which should be initialized by
|
||||
* the caller in a meaningful way to get a meaningful result.
|
||||
*/
|
||||
#define MAC_BOOLEAN(operation, composition, args...) do { \
|
||||
#define MAC_POLICY_BOOLEAN(operation, composition, args...) do { \
|
||||
struct mac_policy_conf *mpc; \
|
||||
\
|
||||
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
|
||||
@ -362,7 +362,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
#define MAC_BOOLEAN_NOSLEEP(operation, composition, args...) do { \
|
||||
#define MAC_POLICY_BOOLEAN_NOSLEEP(operation, composition, args...) do {\
|
||||
struct mac_policy_conf *mpc; \
|
||||
\
|
||||
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
|
||||
@ -383,13 +383,13 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} while (0)
|
||||
|
||||
/*
|
||||
* MAC_EXTERNALIZE queries each policy to see if it can generate an
|
||||
* MAC_POLICY_EXTERNALIZE queries each policy to see if it can generate an
|
||||
* externalized version of a label element by name. Policies declare whether
|
||||
* they have matched a particular element name, parsed from the string by
|
||||
* MAC_EXTERNALIZE, and an error is returned if any element is matched by no
|
||||
* policy.
|
||||
* MAC_POLICY_EXTERNALIZE, and an error is returned if any element is matched
|
||||
* by no policy.
|
||||
*/
|
||||
#define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \
|
||||
#define MAC_POLICY_EXTERNALIZE(type, label, elementlist, outbuf, \
|
||||
outbuflen) do { \
|
||||
int claimed, first, ignorenotfound, savedlen; \
|
||||
char *element_name, *element_temp; \
|
||||
@ -415,7 +415,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
break; \
|
||||
} \
|
||||
claimed = 0; \
|
||||
MAC_CHECK(type ## _externalize_label, label, \
|
||||
MAC_POLICY_CHECK(type ## _externalize_label, label, \
|
||||
element_name, &sb, &claimed); \
|
||||
if (error) \
|
||||
break; \
|
||||
@ -433,11 +433,11 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} while (0)
|
||||
|
||||
/*
|
||||
* MAC_INTERNALIZE presents parsed element names and data to each policy to
|
||||
* see if any is willing to claim it and internalize the label data. If no
|
||||
* policies match, an error is returned.
|
||||
* MAC_POLICY_INTERNALIZE presents parsed element names and data to each
|
||||
* policy to see if any is willing to claim it and internalize the label
|
||||
* data. If no policies match, an error is returned.
|
||||
*/
|
||||
#define MAC_INTERNALIZE(type, label, instring) do { \
|
||||
#define MAC_POLICY_INTERNALIZE(type, label, instring) do { \
|
||||
char *element, *element_name, *element_data; \
|
||||
int claimed; \
|
||||
\
|
||||
@ -451,7 +451,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
break; \
|
||||
} \
|
||||
claimed = 0; \
|
||||
MAC_CHECK(type ## _internalize_label, label, \
|
||||
MAC_POLICY_CHECK(type ## _internalize_label, label, \
|
||||
element_name, element_data, &claimed); \
|
||||
if (error) \
|
||||
break; \
|
||||
@ -464,10 +464,10 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} while (0)
|
||||
|
||||
/*
|
||||
* MAC_PERFORM performs the designated operation by walking the policy module
|
||||
* list and invoking that operation for each policy.
|
||||
* MAC_POLICY_PERFORM performs the designated operation by walking the policy
|
||||
* module list and invoking that operation for each policy.
|
||||
*/
|
||||
#define MAC_PERFORM(operation, args...) do { \
|
||||
#define MAC_POLICY_PERFORM(operation, args...) do { \
|
||||
struct mac_policy_conf *mpc; \
|
||||
\
|
||||
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
|
||||
@ -484,7 +484,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
#define MAC_PERFORM_NOSLEEP(operation, args...) do { \
|
||||
#define MAC_POLICY_PERFORM_NOSLEEP(operation, args...) do { \
|
||||
struct mac_policy_conf *mpc; \
|
||||
\
|
||||
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
|
||||
|
@ -110,7 +110,7 @@ mac_bpfdesc_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(bpfdesc_init_label, label);
|
||||
MAC_POLICY_PERFORM(bpfdesc_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -130,7 +130,7 @@ mac_ifnet_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(ifnet_init_label, label);
|
||||
MAC_POLICY_PERFORM(ifnet_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -154,11 +154,11 @@ mac_mbuf_tag_init(struct m_tag *tag, int flag)
|
||||
mac_init_label(label);
|
||||
|
||||
if (flag & M_WAITOK)
|
||||
MAC_CHECK(mbuf_init_label, label, flag);
|
||||
MAC_POLICY_CHECK(mbuf_init_label, label, flag);
|
||||
else
|
||||
MAC_CHECK_NOSLEEP(mbuf_init_label, label, flag);
|
||||
MAC_POLICY_CHECK_NOSLEEP(mbuf_init_label, label, flag);
|
||||
if (error) {
|
||||
MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label);
|
||||
mac_destroy_label(label);
|
||||
}
|
||||
return (error);
|
||||
@ -191,7 +191,7 @@ static void
|
||||
mac_bpfdesc_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(bpfdesc_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -209,7 +209,7 @@ static void
|
||||
mac_ifnet_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ifnet_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -230,7 +230,7 @@ mac_mbuf_tag_destroy(struct m_tag *tag)
|
||||
|
||||
label = (struct label *)(tag+1);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label);
|
||||
mac_destroy_label(label);
|
||||
}
|
||||
|
||||
@ -250,7 +250,7 @@ mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest)
|
||||
* mac_mbuf_tag_init() is called on the target tag in m_tag_copy(),
|
||||
* so we don't need to call it here.
|
||||
*/
|
||||
MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -261,14 +261,14 @@ mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to)
|
||||
src_label = mac_mbuf_to_label(m_from);
|
||||
dest_label = mac_mbuf_to_label(m_to);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_ifnet_copy_label(struct label *src, struct label *dest)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ifnet_copy_label, src, dest);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_copy_label, src, dest);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -277,7 +277,7 @@ mac_ifnet_externalize_label(struct label *label, char *elements,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen);
|
||||
MAC_POLICY_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -287,7 +287,7 @@ mac_ifnet_internalize_label(struct label *label, char *string)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_INTERNALIZE(ifnet, label, string);
|
||||
MAC_POLICY_INTERNALIZE(ifnet, label, string);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -297,7 +297,7 @@ mac_ifnet_create(struct ifnet *ifp)
|
||||
{
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
@ -305,7 +305,7 @@ void
|
||||
mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -317,7 +317,8 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m,
|
||||
label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -328,7 +329,8 @@ mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m,
|
||||
label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
@ -343,7 +345,7 @@ mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
|
||||
BPFD_LOCK_ASSERT(d);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
|
||||
MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
|
||||
ifp->if_label);
|
||||
MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
@ -365,7 +367,7 @@ mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m,
|
||||
MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m,
|
||||
label);
|
||||
MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
@ -463,15 +465,15 @@ mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
|
||||
}
|
||||
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, ifp->if_label,
|
||||
intlabel);
|
||||
MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp,
|
||||
ifp->if_label, intlabel);
|
||||
if (error) {
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
mac_ifnet_label_free(intlabel);
|
||||
return (error);
|
||||
}
|
||||
|
||||
MAC_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label,
|
||||
intlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
|
||||
|
@ -66,7 +66,7 @@ mac_pipe_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(pipe_init_label, label);
|
||||
MAC_POLICY_PERFORM(pipe_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -84,7 +84,7 @@ void
|
||||
mac_pipe_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(pipe_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(pipe_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -102,7 +102,7 @@ void
|
||||
mac_pipe_copy_label(struct label *src, struct label *dest)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(pipe_copy_label, src, dest);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(pipe_copy_label, src, dest);
|
||||
}
|
||||
|
||||
int
|
||||
@ -111,7 +111,7 @@ mac_pipe_externalize_label(struct label *label, char *elements,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
|
||||
MAC_POLICY_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -121,7 +121,7 @@ mac_pipe_internalize_label(struct label *label, char *string)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_INTERNALIZE(pipe, label, string);
|
||||
MAC_POLICY_INTERNALIZE(pipe, label, string);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -130,7 +130,7 @@ void
|
||||
mac_pipe_create(struct ucred *cred, struct pipepair *pp)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(pipe_create, cred, pp, pp->pp_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(pipe_create, cred, pp, pp->pp_label);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -138,7 +138,8 @@ mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
|
||||
struct label *newlabel)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label, newlabel);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label,
|
||||
newlabel);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE4(pipe_check_ioctl, "struct ucred *",
|
||||
@ -152,8 +153,8 @@ mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(pipe_check_ioctl, cred, pp, pp->pp_label, cmd,
|
||||
data);
|
||||
MAC_POLICY_CHECK_NOSLEEP(pipe_check_ioctl, cred, pp, pp->pp_label,
|
||||
cmd, data);
|
||||
MAC_CHECK_PROBE4(pipe_check_ioctl, error, cred, pp, cmd, data);
|
||||
|
||||
return (error);
|
||||
@ -169,7 +170,7 @@ mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(pipe_check_poll, cred, pp, pp->pp_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(pipe_check_poll, cred, pp, pp->pp_label);
|
||||
MAC_CHECK_PROBE2(pipe_check_poll, error, cred, pp);
|
||||
|
||||
return (error);
|
||||
@ -185,7 +186,7 @@ mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(pipe_check_read, cred, pp, pp->pp_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(pipe_check_read, cred, pp, pp->pp_label);
|
||||
MAC_CHECK_PROBE2(pipe_check_read, error, cred, pp);
|
||||
|
||||
return (error);
|
||||
@ -202,7 +203,7 @@ mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(pipe_check_relabel, cred, pp, pp->pp_label,
|
||||
MAC_POLICY_CHECK_NOSLEEP(pipe_check_relabel, cred, pp, pp->pp_label,
|
||||
newlabel);
|
||||
MAC_CHECK_PROBE3(pipe_check_relabel, error, cred, pp, newlabel);
|
||||
|
||||
@ -219,7 +220,7 @@ mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(pipe_check_stat, cred, pp, pp->pp_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(pipe_check_stat, cred, pp, pp->pp_label);
|
||||
MAC_CHECK_PROBE2(pipe_check_stat, error, cred, pp);
|
||||
|
||||
return (error);
|
||||
@ -235,7 +236,7 @@ mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(pipe_check_write, cred, pp, pp->pp_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(pipe_check_write, cred, pp, pp->pp_label);
|
||||
MAC_CHECK_PROBE2(pipe_check_write, error, cred, pp);
|
||||
|
||||
return (error);
|
||||
|
@ -62,7 +62,7 @@ mac_posixsem_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(posixsem_init_label, label);
|
||||
MAC_POLICY_PERFORM(posixsem_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -80,7 +80,7 @@ static void
|
||||
mac_posixsem_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(posixsem_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(posixsem_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -98,7 +98,7 @@ void
|
||||
mac_posixsem_create(struct ucred *cred, struct ksem *ks)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(posixsem_create, cred, ks, ks->ks_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(posixsem_create, cred, ks, ks->ks_label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE2(posixsem_check_open, "struct ucred *",
|
||||
@ -109,7 +109,8 @@ mac_posixsem_check_open(struct ucred *cred, struct ksem *ks)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixsem_check_open, cred, ks, ks->ks_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixsem_check_open, cred, ks,
|
||||
ks->ks_label);
|
||||
MAC_CHECK_PROBE2(posixsem_check_open, error, cred, ks);
|
||||
|
||||
return (error);
|
||||
@ -124,8 +125,8 @@ mac_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixsem_check_getvalue, active_cred, file_cred,
|
||||
ks, ks->ks_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixsem_check_getvalue, active_cred,
|
||||
file_cred, ks, ks->ks_label);
|
||||
MAC_CHECK_PROBE3(posixsem_check_getvalue, error, active_cred,
|
||||
file_cred, ks);
|
||||
|
||||
@ -141,8 +142,8 @@ mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixsem_check_post, active_cred, file_cred, ks,
|
||||
ks->ks_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixsem_check_post, active_cred, file_cred,
|
||||
ks, ks->ks_label);
|
||||
MAC_CHECK_PROBE3(posixsem_check_post, error, active_cred, file_cred,
|
||||
ks);
|
||||
|
||||
@ -158,8 +159,8 @@ mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixsem_check_stat, active_cred, file_cred, ks,
|
||||
ks->ks_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixsem_check_stat, active_cred, file_cred,
|
||||
ks, ks->ks_label);
|
||||
MAC_CHECK_PROBE3(posixsem_check_stat, error, active_cred, file_cred,
|
||||
ks);
|
||||
|
||||
@ -174,7 +175,8 @@ mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixsem_check_unlink, cred, ks, ks->ks_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixsem_check_unlink, cred, ks,
|
||||
ks->ks_label);
|
||||
MAC_CHECK_PROBE2(posixsem_check_unlink, error, cred, ks);
|
||||
|
||||
return (error);
|
||||
@ -189,8 +191,8 @@ mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixsem_check_wait, active_cred, file_cred, ks,
|
||||
ks->ks_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixsem_check_wait, active_cred, file_cred,
|
||||
ks, ks->ks_label);
|
||||
MAC_CHECK_PROBE3(posixsem_check_wait, error, active_cred, file_cred,
|
||||
ks);
|
||||
|
||||
|
@ -61,7 +61,7 @@ mac_posixshm_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(posixshm_init_label, label);
|
||||
MAC_POLICY_PERFORM(posixshm_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -79,7 +79,7 @@ static void
|
||||
mac_posixshm_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(posixshm_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(posixshm_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -97,7 +97,8 @@ void
|
||||
mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(posixshm_create, cred, shmfd, shmfd->shm_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(posixshm_create, cred, shmfd,
|
||||
shmfd->shm_label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE4(posixshm_check_mmap, "struct ucred *",
|
||||
@ -109,8 +110,8 @@ mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixshm_check_mmap, cred, shmfd, shmfd->shm_label,
|
||||
prot, flags);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixshm_check_mmap, cred, shmfd,
|
||||
shmfd->shm_label, prot, flags);
|
||||
MAC_CHECK_PROBE4(posixshm_check_mmap, error, cred, shmfd, prot,
|
||||
flags);
|
||||
|
||||
@ -125,7 +126,8 @@ mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixshm_check_open, cred, shmfd, shmfd->shm_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixshm_check_open, cred, shmfd,
|
||||
shmfd->shm_label);
|
||||
MAC_CHECK_PROBE2(posixshm_check_open, error, cred, shmfd);
|
||||
|
||||
return (error);
|
||||
@ -140,8 +142,8 @@ mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixshm_check_stat, active_cred, file_cred, shmfd,
|
||||
shmfd->shm_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixshm_check_stat, active_cred, file_cred,
|
||||
shmfd, shmfd->shm_label);
|
||||
MAC_CHECK_PROBE3(posixshm_check_stat, error, active_cred, file_cred,
|
||||
shmfd);
|
||||
|
||||
@ -157,8 +159,8 @@ mac_posixshm_check_truncate(struct ucred *active_cred, struct ucred *file_cred,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixshm_check_truncate, active_cred, file_cred,
|
||||
shmfd, shmfd->shm_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixshm_check_truncate, active_cred,
|
||||
file_cred, shmfd, shmfd->shm_label);
|
||||
MAC_CHECK_PROBE3(posixshm_check_truncate, error, active_cred,
|
||||
file_cred, shmfd);
|
||||
|
||||
@ -173,7 +175,7 @@ mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(posixshm_check_unlink, cred, shmfd,
|
||||
MAC_POLICY_CHECK_NOSLEEP(posixshm_check_unlink, cred, shmfd,
|
||||
shmfd->shm_label);
|
||||
MAC_CHECK_PROBE2(posixshm_check_unlink, error, cred, shmfd);
|
||||
|
||||
|
@ -72,7 +72,7 @@ mac_priv_check(struct ucred *cred, int priv)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(priv_check, cred, priv);
|
||||
MAC_POLICY_CHECK_NOSLEEP(priv_check, cred, priv);
|
||||
MAC_CHECK_PROBE2(priv_check, error, cred, priv);
|
||||
|
||||
return (error);
|
||||
@ -89,7 +89,7 @@ mac_priv_grant(struct ucred *cred, int priv)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_GRANT_NOSLEEP(priv_grant, cred, priv);
|
||||
MAC_POLICY_GRANT_NOSLEEP(priv_grant, cred, priv);
|
||||
MAC_GRANT_PROBE2(priv_grant, error, cred, priv);
|
||||
|
||||
return (error);
|
||||
|
@ -94,7 +94,7 @@ mac_proc_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(proc_init_label, label);
|
||||
MAC_POLICY_PERFORM(proc_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -112,7 +112,7 @@ static void
|
||||
mac_proc_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(proc_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(proc_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -130,7 +130,7 @@ void
|
||||
mac_thread_userret(struct thread *td)
|
||||
{
|
||||
|
||||
MAC_PERFORM(thread_userret, td);
|
||||
MAC_POLICY_PERFORM(thread_userret, td);
|
||||
}
|
||||
|
||||
int
|
||||
@ -386,7 +386,7 @@ mac_proc_check_debug(struct ucred *cred, struct proc *p)
|
||||
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(proc_check_debug, cred, p);
|
||||
MAC_POLICY_CHECK_NOSLEEP(proc_check_debug, cred, p);
|
||||
MAC_CHECK_PROBE2(proc_check_debug, error, cred, p);
|
||||
|
||||
return (error);
|
||||
@ -401,7 +401,7 @@ mac_proc_check_sched(struct ucred *cred, struct proc *p)
|
||||
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(proc_check_sched, cred, p);
|
||||
MAC_POLICY_CHECK_NOSLEEP(proc_check_sched, cred, p);
|
||||
MAC_CHECK_PROBE2(proc_check_sched, error, cred, p);
|
||||
|
||||
return (error);
|
||||
@ -417,7 +417,7 @@ mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
|
||||
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(proc_check_signal, cred, p, signum);
|
||||
MAC_POLICY_CHECK_NOSLEEP(proc_check_signal, cred, p, signum);
|
||||
MAC_CHECK_PROBE3(proc_check_signal, error, cred, p, signum);
|
||||
|
||||
return (error);
|
||||
@ -432,7 +432,7 @@ mac_proc_check_wait(struct ucred *cred, struct proc *p)
|
||||
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK_NOSLEEP(proc_check_wait, cred, p);
|
||||
MAC_POLICY_CHECK_NOSLEEP(proc_check_wait, cred, p);
|
||||
MAC_CHECK_PROBE2(proc_check_wait, error, cred, p);
|
||||
|
||||
return (error);
|
||||
|
@ -101,11 +101,11 @@ mac_socket_label_alloc(int flag)
|
||||
return (NULL);
|
||||
|
||||
if (flag & M_WAITOK)
|
||||
MAC_CHECK(socket_init_label, label, flag);
|
||||
MAC_POLICY_CHECK(socket_init_label, label, flag);
|
||||
else
|
||||
MAC_CHECK_NOSLEEP(socket_init_label, label, flag);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_init_label, label, flag);
|
||||
if (error) {
|
||||
MAC_PERFORM_NOSLEEP(socket_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
return (NULL);
|
||||
}
|
||||
@ -123,11 +123,11 @@ mac_socketpeer_label_alloc(int flag)
|
||||
return (NULL);
|
||||
|
||||
if (flag & M_WAITOK)
|
||||
MAC_CHECK(socketpeer_init_label, label, flag);
|
||||
MAC_POLICY_CHECK(socketpeer_init_label, label, flag);
|
||||
else
|
||||
MAC_CHECK_NOSLEEP(socketpeer_init_label, label, flag);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socketpeer_init_label, label, flag);
|
||||
if (error) {
|
||||
MAC_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
return (NULL);
|
||||
}
|
||||
@ -159,7 +159,7 @@ void
|
||||
mac_socket_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socket_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socket_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -167,7 +167,7 @@ static void
|
||||
mac_socketpeer_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -187,7 +187,7 @@ void
|
||||
mac_socket_copy_label(struct label *src, struct label *dest)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socket_copy_label, src, dest);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socket_copy_label, src, dest);
|
||||
}
|
||||
|
||||
int
|
||||
@ -196,7 +196,7 @@ mac_socket_externalize_label(struct label *label, char *elements,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_EXTERNALIZE(socket, label, elements, outbuf, outbuflen);
|
||||
MAC_POLICY_EXTERNALIZE(socket, label, elements, outbuf, outbuflen);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -207,7 +207,8 @@ mac_socketpeer_externalize_label(struct label *label, char *elements,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen);
|
||||
MAC_POLICY_EXTERNALIZE(socketpeer, label, elements, outbuf,
|
||||
outbuflen);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -217,7 +218,7 @@ mac_socket_internalize_label(struct label *label, char *string)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_INTERNALIZE(socket, label, string);
|
||||
MAC_POLICY_INTERNALIZE(socket, label, string);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -226,7 +227,7 @@ void
|
||||
mac_socket_create(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socket_create, cred, so, so->so_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socket_create, cred, so, so->so_label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -235,8 +236,8 @@ mac_socket_newconn(struct socket *oldso, struct socket *newso)
|
||||
|
||||
SOCK_LOCK_ASSERT(oldso);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label, newso,
|
||||
newso->so_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label,
|
||||
newso, newso->so_label);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -246,7 +247,7 @@ mac_socket_relabel(struct ucred *cred, struct socket *so,
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socket_relabel, cred, so, so->so_label,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socket_relabel, cred, so, so->so_label,
|
||||
newlabel);
|
||||
}
|
||||
|
||||
@ -259,7 +260,7 @@ mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so,
|
||||
so->so_peerlabel);
|
||||
}
|
||||
|
||||
@ -272,7 +273,7 @@ mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso)
|
||||
* is the original, and one is the new. However, it's called in both
|
||||
* directions, so we can't assert the lock here currently.
|
||||
*/
|
||||
MAC_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso,
|
||||
oldso->so_label, newso, newso->so_peerlabel);
|
||||
}
|
||||
|
||||
@ -285,7 +286,8 @@ mac_socket_create_mbuf(struct socket *so, struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m,
|
||||
label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *",
|
||||
@ -298,7 +300,8 @@ mac_socket_check_accept(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_accept, cred, so, so->so_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_accept, cred, so,
|
||||
so->so_label);
|
||||
MAC_CHECK_PROBE2(socket_check_accept, error, cred, so);
|
||||
|
||||
return (error);
|
||||
@ -315,7 +318,8 @@ mac_socket_check_bind(struct ucred *cred, struct socket *so,
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label, sa);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label,
|
||||
sa);
|
||||
MAC_CHECK_PROBE3(socket_check_bind, error, cred, so, sa);
|
||||
|
||||
return (error);
|
||||
@ -332,7 +336,8 @@ mac_socket_check_connect(struct ucred *cred, struct socket *so,
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_connect, cred, so, so->so_label, sa);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_connect, cred, so,
|
||||
so->so_label, sa);
|
||||
MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa);
|
||||
|
||||
return (error);
|
||||
@ -346,7 +351,8 @@ mac_socket_check_create(struct ucred *cred, int domain, int type, int proto)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_create, cred, domain, type, proto);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_create, cred, domain, type,
|
||||
proto);
|
||||
MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type,
|
||||
proto);
|
||||
|
||||
@ -366,7 +372,8 @@ mac_socket_check_deliver(struct socket *so, struct mbuf *m)
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m, label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m,
|
||||
label);
|
||||
MAC_CHECK_PROBE2(socket_check_deliver, error, so, m);
|
||||
|
||||
return (error);
|
||||
@ -382,7 +389,8 @@ mac_socket_check_listen(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_listen, cred, so, so->so_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_listen, cred, so,
|
||||
so->so_label);
|
||||
MAC_CHECK_PROBE2(socket_check_listen, error, cred, so);
|
||||
|
||||
return (error);
|
||||
@ -398,7 +406,7 @@ mac_socket_check_poll(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label);
|
||||
MAC_CHECK_PROBE2(socket_check_poll, error, cred, so);
|
||||
|
||||
return (error);
|
||||
@ -414,7 +422,8 @@ mac_socket_check_receive(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_receive, cred, so, so->so_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_receive, cred, so,
|
||||
so->so_label);
|
||||
MAC_CHECK_PROBE2(socket_check_receive, error, cred, so);
|
||||
|
||||
return (error);
|
||||
@ -431,8 +440,8 @@ mac_socket_check_relabel(struct ucred *cred, struct socket *so,
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_relabel, cred, so, so->so_label,
|
||||
newlabel);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_relabel, cred, so,
|
||||
so->so_label, newlabel);
|
||||
MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel);
|
||||
|
||||
return (error);
|
||||
@ -448,7 +457,7 @@ mac_socket_check_send(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label);
|
||||
MAC_CHECK_PROBE2(socket_check_send, error, cred, so);
|
||||
|
||||
return (error);
|
||||
@ -464,7 +473,7 @@ mac_socket_check_stat(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label);
|
||||
MAC_CHECK_PROBE2(socket_check_stat, error, cred, so);
|
||||
|
||||
return (error);
|
||||
@ -480,7 +489,8 @@ mac_socket_check_visible(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK_NOSLEEP(socket_check_visible, cred, so, so->so_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(socket_check_visible, cred, so,
|
||||
so->so_label);
|
||||
MAC_CHECK_PROBE2(socket_check_visible, error, cred, so);
|
||||
|
||||
return (error);
|
||||
|
@ -78,7 +78,7 @@ mac_kenv_check_dump(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(kenv_check_dump, cred);
|
||||
MAC_POLICY_CHECK_NOSLEEP(kenv_check_dump, cred);
|
||||
MAC_CHECK_PROBE1(kenv_check_dump, error, cred);
|
||||
|
||||
return (error);
|
||||
@ -91,7 +91,7 @@ mac_kenv_check_get(struct ucred *cred, char *name)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(kenv_check_get, cred, name);
|
||||
MAC_POLICY_CHECK_NOSLEEP(kenv_check_get, cred, name);
|
||||
MAC_CHECK_PROBE2(kenv_check_get, error, cred, name);
|
||||
|
||||
return (error);
|
||||
@ -105,7 +105,7 @@ mac_kenv_check_set(struct ucred *cred, char *name, char *value)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(kenv_check_set, cred, name, value);
|
||||
MAC_POLICY_CHECK_NOSLEEP(kenv_check_set, cred, name, value);
|
||||
MAC_CHECK_PROBE3(kenv_check_set, error, cred, name, value);
|
||||
|
||||
return (error);
|
||||
@ -118,7 +118,7 @@ mac_kenv_check_unset(struct ucred *cred, char *name)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(kenv_check_unset, cred, name);
|
||||
MAC_POLICY_CHECK_NOSLEEP(kenv_check_unset, cred, name);
|
||||
MAC_CHECK_PROBE2(kenv_check_unset, error, cred, name);
|
||||
|
||||
return (error);
|
||||
@ -133,7 +133,7 @@ mac_kld_check_load(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
|
||||
|
||||
MAC_CHECK(kld_check_load, cred, vp, vp->v_label);
|
||||
MAC_POLICY_CHECK(kld_check_load, cred, vp, vp->v_label);
|
||||
MAC_CHECK_PROBE2(kld_check_load, error, cred, vp);
|
||||
|
||||
return (error);
|
||||
@ -146,7 +146,7 @@ mac_kld_check_stat(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(kld_check_stat, cred);
|
||||
MAC_POLICY_CHECK_NOSLEEP(kld_check_stat, cred);
|
||||
MAC_CHECK_PROBE1(kld_check_stat, error, cred);
|
||||
|
||||
return (error);
|
||||
@ -164,7 +164,7 @@ mac_system_check_acct(struct ucred *cred, struct vnode *vp)
|
||||
ASSERT_VOP_LOCKED(vp, "mac_system_check_acct");
|
||||
}
|
||||
|
||||
MAC_CHECK(system_check_acct, cred, vp,
|
||||
MAC_POLICY_CHECK(system_check_acct, cred, vp,
|
||||
vp != NULL ? vp->v_label : NULL);
|
||||
MAC_CHECK_PROBE2(system_check_acct, error, cred, vp);
|
||||
|
||||
@ -178,7 +178,7 @@ mac_system_check_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(system_check_reboot, cred, howto);
|
||||
MAC_POLICY_CHECK_NOSLEEP(system_check_reboot, cred, howto);
|
||||
MAC_CHECK_PROBE2(system_check_reboot, error, cred, howto);
|
||||
|
||||
return (error);
|
||||
@ -194,7 +194,7 @@ mac_system_check_swapon(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon");
|
||||
|
||||
MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
|
||||
MAC_POLICY_CHECK(system_check_swapon, cred, vp, vp->v_label);
|
||||
MAC_CHECK_PROBE2(system_check_swapon, error, cred, vp);
|
||||
|
||||
return (error);
|
||||
@ -210,7 +210,7 @@ mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
|
||||
|
||||
MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
|
||||
MAC_POLICY_CHECK(system_check_swapoff, cred, vp, vp->v_label);
|
||||
MAC_CHECK_PROBE2(system_check_swapoff, error, cred, vp);
|
||||
|
||||
return (error);
|
||||
@ -229,7 +229,8 @@ mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
|
||||
* XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
|
||||
* but since it's not exported from kern_sysctl.c, we can't.
|
||||
*/
|
||||
MAC_CHECK_NOSLEEP(system_check_sysctl, cred, oidp, arg1, arg2, req);
|
||||
MAC_POLICY_CHECK_NOSLEEP(system_check_sysctl, cred, oidp, arg1, arg2,
|
||||
req);
|
||||
MAC_CHECK_PROBE3(system_check_sysctl, error, cred, oidp, req);
|
||||
|
||||
return (error);
|
||||
|
@ -69,7 +69,7 @@ mac_sysv_msgmsg_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(sysvmsg_init_label, label);
|
||||
MAC_POLICY_PERFORM(sysvmsg_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -89,7 +89,7 @@ mac_sysv_msgqueue_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(sysvmsq_init_label, label);
|
||||
MAC_POLICY_PERFORM(sysvmsq_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -107,7 +107,7 @@ static void
|
||||
mac_sysv_msgmsg_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvmsg_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvmsg_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -125,7 +125,7 @@ static void
|
||||
mac_sysv_msgqueue_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvmsq_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvmsq_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -144,29 +144,30 @@ mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
|
||||
struct msg *msgptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvmsg_create, cred, msqkptr, msqkptr->label,
|
||||
msgptr, msgptr->label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvmsg_create, cred, msqkptr,
|
||||
msqkptr->label, msgptr, msgptr->label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvmsq_create, cred, msqkptr, msqkptr->label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvmsq_create, cred, msqkptr,
|
||||
msqkptr->label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_sysvmsg_cleanup(struct msg *msgptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvmsg_cleanup, msgptr->label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvmsg_cleanup, msgptr->label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvmsq_cleanup, msqkptr->label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvmsq_cleanup, msqkptr->label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE3(sysvmsq_check_msgmsq, "struct ucred *",
|
||||
@ -178,8 +179,8 @@ mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label,
|
||||
msqkptr, msqkptr->label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msgmsq, cred, msgptr,
|
||||
msgptr->label, msqkptr, msqkptr->label);
|
||||
MAC_CHECK_PROBE3(sysvmsq_check_msgmsq, error, cred, msgptr, msqkptr);
|
||||
|
||||
return (error);
|
||||
@ -193,7 +194,8 @@ mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msgrcv, cred, msgptr,
|
||||
msgptr->label);
|
||||
MAC_CHECK_PROBE2(sysvmsq_check_msgrcv, error, cred, msgptr);
|
||||
|
||||
return (error);
|
||||
@ -207,7 +209,7 @@ mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvmsq_check_msgrmid, cred, msgptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msgrmid, cred, msgptr,
|
||||
msgptr->label);
|
||||
MAC_CHECK_PROBE2(sysvmsq_check_msgrmid, error, cred, msgptr);
|
||||
|
||||
@ -222,7 +224,7 @@ mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvmsq_check_msqget, cred, msqkptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqget, cred, msqkptr,
|
||||
msqkptr->label);
|
||||
MAC_CHECK_PROBE2(sysvmsq_check_msqget, error, cred, msqkptr);
|
||||
|
||||
@ -237,7 +239,7 @@ mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvmsq_check_msqsnd, cred, msqkptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqsnd, cred, msqkptr,
|
||||
msqkptr->label);
|
||||
MAC_CHECK_PROBE2(sysvmsq_check_msqsnd, error, cred, msqkptr);
|
||||
|
||||
@ -252,7 +254,7 @@ mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvmsq_check_msqrcv, cred, msqkptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqrcv, cred, msqkptr,
|
||||
msqkptr->label);
|
||||
MAC_CHECK_PROBE2(sysvmsq_check_msqrcv, error, cred, msqkptr);
|
||||
|
||||
@ -268,7 +270,7 @@ mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvmsq_check_msqctl, cred, msqkptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqctl, cred, msqkptr,
|
||||
msqkptr->label, cmd);
|
||||
MAC_CHECK_PROBE3(sysvmsq_check_msqctl, error, cred, msqkptr, cmd);
|
||||
|
||||
|
@ -68,7 +68,7 @@ mac_sysv_sem_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(sysvsem_init_label, label);
|
||||
MAC_POLICY_PERFORM(sysvsem_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -86,7 +86,7 @@ static void
|
||||
mac_sysv_sem_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvsem_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvsem_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -104,14 +104,15 @@ void
|
||||
mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvsem_create, cred, semakptr, semakptr->label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvsem_create, cred, semakptr,
|
||||
semakptr->label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_sysvsem_cleanup(struct semid_kernel *semakptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvsem_cleanup, semakptr->label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvsem_cleanup, semakptr->label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE3(sysvsem_check_semctl, "struct ucred *",
|
||||
@ -123,7 +124,7 @@ mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvsem_check_semctl, cred, semakptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvsem_check_semctl, cred, semakptr,
|
||||
semakptr->label, cmd);
|
||||
MAC_CHECK_PROBE3(sysvsem_check_semctl, error, cred, semakptr, cmd);
|
||||
|
||||
@ -138,7 +139,7 @@ mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvsem_check_semget, cred, semakptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvsem_check_semget, cred, semakptr,
|
||||
semakptr->label);
|
||||
|
||||
return (error);
|
||||
@ -153,7 +154,7 @@ mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvsem_check_semop, cred, semakptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvsem_check_semop, cred, semakptr,
|
||||
semakptr->label, accesstype);
|
||||
MAC_CHECK_PROBE3(sysvsem_check_semop, error, cred, semakptr,
|
||||
accesstype);
|
||||
|
@ -68,7 +68,7 @@ mac_sysv_shm_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(sysvshm_init_label, label);
|
||||
MAC_POLICY_PERFORM(sysvshm_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -86,7 +86,7 @@ static void
|
||||
mac_sysv_shm_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvshm_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvshm_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -104,7 +104,7 @@ void
|
||||
mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvshm_create, cred, shmsegptr,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvshm_create, cred, shmsegptr,
|
||||
shmsegptr->label);
|
||||
}
|
||||
|
||||
@ -112,7 +112,7 @@ void
|
||||
mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(sysvshm_cleanup, shmsegptr->label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(sysvshm_cleanup, shmsegptr->label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE3(sysvshm_check_shmat, "struct ucred *",
|
||||
@ -124,7 +124,7 @@ mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvshm_check_shmat, cred, shmsegptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvshm_check_shmat, cred, shmsegptr,
|
||||
shmsegptr->label, shmflg);
|
||||
MAC_CHECK_PROBE3(sysvshm_check_shmat, error, cred, shmsegptr,
|
||||
shmflg);
|
||||
@ -141,7 +141,7 @@ mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvshm_check_shmctl, cred, shmsegptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvshm_check_shmctl, cred, shmsegptr,
|
||||
shmsegptr->label, cmd);
|
||||
MAC_CHECK_PROBE3(sysvshm_check_shmctl, error, cred, shmsegptr, cmd);
|
||||
|
||||
@ -156,7 +156,7 @@ mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvshm_check_shmdt, cred, shmsegptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvshm_check_shmdt, cred, shmsegptr,
|
||||
shmsegptr->label);
|
||||
MAC_CHECK_PROBE2(sysvshm_check_shmdt, error, cred, shmsegptr);
|
||||
|
||||
@ -172,7 +172,7 @@ mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(sysvshm_check_shmget, cred, shmsegptr,
|
||||
MAC_POLICY_CHECK_NOSLEEP(sysvshm_check_shmget, cred, shmsegptr,
|
||||
shmsegptr->label, shmflg);
|
||||
MAC_CHECK_PROBE3(sysvshm_check_shmget, error, cred, shmsegptr,
|
||||
shmflg);
|
||||
|
@ -92,7 +92,7 @@ mac_devfs_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(devfs_init_label, label);
|
||||
MAC_POLICY_PERFORM(devfs_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -112,7 +112,7 @@ mac_mount_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(mount_init_label, label);
|
||||
MAC_POLICY_PERFORM(mount_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -132,7 +132,7 @@ mac_vnode_label_alloc(void)
|
||||
struct label *label;
|
||||
|
||||
label = mac_labelzone_alloc(M_WAITOK);
|
||||
MAC_PERFORM(vnode_init_label, label);
|
||||
MAC_POLICY_PERFORM(vnode_init_label, label);
|
||||
return (label);
|
||||
}
|
||||
|
||||
@ -150,7 +150,7 @@ static void
|
||||
mac_devfs_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(devfs_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(devfs_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -168,7 +168,7 @@ static void
|
||||
mac_mount_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(mount_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(mount_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -186,7 +186,7 @@ void
|
||||
mac_vnode_label_free(struct label *label)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(vnode_destroy_label, label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(vnode_destroy_label, label);
|
||||
mac_labelzone_free(label);
|
||||
}
|
||||
|
||||
@ -204,7 +204,7 @@ void
|
||||
mac_vnode_copy_label(struct label *src, struct label *dest)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(vnode_copy_label, src, dest);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(vnode_copy_label, src, dest);
|
||||
}
|
||||
|
||||
int
|
||||
@ -213,7 +213,7 @@ mac_vnode_externalize_label(struct label *label, char *elements,
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen);
|
||||
MAC_POLICY_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -223,7 +223,7 @@ mac_vnode_internalize_label(struct label *label, char *string)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_INTERNALIZE(vnode, label, string);
|
||||
MAC_POLICY_INTERNALIZE(vnode, label, string);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -232,7 +232,7 @@ void
|
||||
mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(devfs_update, mp, de, de->de_label, vp,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(devfs_update, mp, de, de->de_label, vp,
|
||||
vp->v_label);
|
||||
}
|
||||
|
||||
@ -241,8 +241,8 @@ mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
|
||||
struct vnode *vp)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(devfs_vnode_associate, mp, mp->mnt_label, de,
|
||||
de->de_label, vp, vp->v_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(devfs_vnode_associate, mp, mp->mnt_label,
|
||||
de, de->de_label, vp, vp->v_label);
|
||||
}
|
||||
|
||||
int
|
||||
@ -252,7 +252,7 @@ mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr");
|
||||
|
||||
MAC_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp,
|
||||
MAC_POLICY_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp,
|
||||
vp->v_label);
|
||||
|
||||
return (error);
|
||||
@ -262,8 +262,8 @@ void
|
||||
mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(vnode_associate_singlelabel, mp, mp->mnt_label,
|
||||
vp, vp->v_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(vnode_associate_singlelabel, mp,
|
||||
mp->mnt_label, vp, vp->v_label);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -294,7 +294,7 @@ mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
|
||||
} else if (error)
|
||||
return (error);
|
||||
|
||||
MAC_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp,
|
||||
MAC_POLICY_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp,
|
||||
dvp->v_label, vp, vp->v_label, cnp);
|
||||
|
||||
if (error) {
|
||||
@ -327,7 +327,8 @@ mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
|
||||
} else if (error)
|
||||
return (error);
|
||||
|
||||
MAC_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label, intlabel);
|
||||
MAC_POLICY_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label,
|
||||
intlabel);
|
||||
|
||||
if (error) {
|
||||
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
|
||||
@ -348,8 +349,8 @@ mac_vnode_execve_transition(struct ucred *old, struct ucred *new,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition");
|
||||
|
||||
MAC_PERFORM(vnode_execve_transition, old, new, vp, vp->v_label,
|
||||
interpvplabel, imgp, imgp->execlabel);
|
||||
MAC_POLICY_PERFORM(vnode_execve_transition, old, new, vp,
|
||||
vp->v_label, interpvplabel, imgp, imgp->execlabel);
|
||||
}
|
||||
|
||||
int
|
||||
@ -362,7 +363,7 @@ mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
|
||||
|
||||
result = 0;
|
||||
/* No sleeping since the process lock will be held by the caller. */
|
||||
MAC_BOOLEAN_NOSLEEP(vnode_execve_will_transition, ||, old, vp,
|
||||
MAC_POLICY_BOOLEAN_NOSLEEP(vnode_execve_will_transition, ||, old, vp,
|
||||
vp->v_label, interpvplabel, imgp, imgp->execlabel);
|
||||
|
||||
return (result);
|
||||
@ -378,7 +379,7 @@ mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access");
|
||||
|
||||
MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode);
|
||||
MAC_POLICY_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode);
|
||||
MAC_CHECK_PROBE3(vnode_check_access, error, cred, vp, accmode);
|
||||
|
||||
return (error);
|
||||
@ -394,7 +395,7 @@ mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir");
|
||||
|
||||
MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
|
||||
MAC_POLICY_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
|
||||
MAC_CHECK_PROBE2(vnode_check_chdir, error, cred, dvp);
|
||||
|
||||
return (error);
|
||||
@ -410,7 +411,7 @@ mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot");
|
||||
|
||||
MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
|
||||
MAC_POLICY_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
|
||||
MAC_CHECK_PROBE2(vnode_check_chroot, error, cred, dvp);
|
||||
|
||||
return (error);
|
||||
@ -427,7 +428,8 @@ mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create");
|
||||
|
||||
MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
|
||||
MAC_POLICY_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp,
|
||||
vap);
|
||||
MAC_CHECK_PROBE4(vnode_check_create, error, cred, dvp, cnp, vap);
|
||||
|
||||
return (error);
|
||||
@ -444,7 +446,7 @@ mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl");
|
||||
|
||||
MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
|
||||
MAC_POLICY_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
|
||||
MAC_CHECK_PROBE3(vnode_check_deleteacl, error, cred, vp, type);
|
||||
|
||||
return (error);
|
||||
@ -461,7 +463,7 @@ mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr");
|
||||
|
||||
MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
|
||||
MAC_POLICY_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
|
||||
attrnamespace, name);
|
||||
MAC_CHECK_PROBE4(vnode_check_deleteextattr, error, cred, vp,
|
||||
attrnamespace, name);
|
||||
@ -480,7 +482,7 @@ mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec");
|
||||
|
||||
MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
|
||||
MAC_POLICY_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
|
||||
imgp->execlabel);
|
||||
MAC_CHECK_PROBE3(vnode_check_exec, error, cred, vp, imgp);
|
||||
|
||||
@ -497,7 +499,7 @@ mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl");
|
||||
|
||||
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
|
||||
MAC_POLICY_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
|
||||
MAC_CHECK_PROBE3(vnode_check_getacl, error, cred, vp, type);
|
||||
|
||||
return (error);
|
||||
@ -514,7 +516,7 @@ mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr");
|
||||
|
||||
MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
|
||||
MAC_POLICY_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
|
||||
attrnamespace, name);
|
||||
MAC_CHECK_PROBE4(vnode_check_getextattr, error, cred, vp,
|
||||
attrnamespace, name);
|
||||
@ -534,7 +536,7 @@ mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link");
|
||||
|
||||
MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
|
||||
vp->v_label, cnp);
|
||||
MAC_CHECK_PROBE4(vnode_check_link, error, cred, dvp, vp, cnp);
|
||||
|
||||
@ -552,7 +554,7 @@ mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr");
|
||||
|
||||
MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
|
||||
MAC_POLICY_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
|
||||
attrnamespace);
|
||||
MAC_CHECK_PROBE3(vnode_check_listextattr, error, cred, vp,
|
||||
attrnamespace);
|
||||
@ -571,7 +573,7 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
|
||||
|
||||
MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
|
||||
MAC_POLICY_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
|
||||
MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp);
|
||||
|
||||
return (error);
|
||||
@ -588,7 +590,7 @@ mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap");
|
||||
|
||||
MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
|
||||
MAC_POLICY_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
|
||||
MAC_CHECK_PROBE4(vnode_check_mmap, error, cred, vp, prot, flags);
|
||||
|
||||
return (error);
|
||||
@ -602,7 +604,7 @@ mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade");
|
||||
|
||||
MAC_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label,
|
||||
MAC_POLICY_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label,
|
||||
&result);
|
||||
|
||||
*prot = result;
|
||||
@ -618,7 +620,7 @@ mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect");
|
||||
|
||||
MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
|
||||
MAC_POLICY_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
|
||||
MAC_CHECK_PROBE3(vnode_check_mprotect, error, cred, vp, prot);
|
||||
|
||||
return (error);
|
||||
@ -634,7 +636,7 @@ mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open");
|
||||
|
||||
MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, accmode);
|
||||
MAC_POLICY_CHECK(vnode_check_open, cred, vp, vp->v_label, accmode);
|
||||
return (error);
|
||||
}
|
||||
|
||||
@ -649,7 +651,7 @@ mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll");
|
||||
|
||||
MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_poll, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
MAC_CHECK_PROBE3(vnode_check_poll, error, active_cred, file_cred,
|
||||
vp);
|
||||
@ -668,7 +670,7 @@ mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read");
|
||||
|
||||
MAC_CHECK(vnode_check_read, active_cred, file_cred, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_read, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
MAC_CHECK_PROBE3(vnode_check_read, error, active_cred, file_cred,
|
||||
vp);
|
||||
@ -686,7 +688,7 @@ mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir");
|
||||
|
||||
MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
|
||||
MAC_POLICY_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
|
||||
MAC_CHECK_PROBE2(vnode_check_readdir, error, cred, dvp);
|
||||
|
||||
return (error);
|
||||
@ -702,7 +704,7 @@ mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink");
|
||||
|
||||
MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
|
||||
MAC_POLICY_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
|
||||
MAC_CHECK_PROBE2(vnode_check_readlink, error, cred, vp);
|
||||
|
||||
return (error);
|
||||
@ -719,7 +721,7 @@ mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel");
|
||||
|
||||
MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
|
||||
MAC_POLICY_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
|
||||
MAC_CHECK_PROBE3(vnode_check_relabel, error, cred, vp, newlabel);
|
||||
|
||||
return (error);
|
||||
@ -737,7 +739,7 @@ mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from");
|
||||
|
||||
MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
|
||||
vp->v_label, cnp);
|
||||
MAC_CHECK_PROBE4(vnode_check_rename_from, error, cred, dvp, vp, cnp);
|
||||
|
||||
@ -756,7 +758,7 @@ mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to");
|
||||
|
||||
MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
|
||||
vp != NULL ? vp->v_label : NULL, samedir, cnp);
|
||||
MAC_CHECK_PROBE4(vnode_check_rename_to, error, cred, dvp, vp, cnp);
|
||||
return (error);
|
||||
@ -772,7 +774,7 @@ mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke");
|
||||
|
||||
MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
|
||||
MAC_POLICY_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
|
||||
MAC_CHECK_PROBE2(vnode_check_revoke, error, cred, vp);
|
||||
|
||||
return (error);
|
||||
@ -789,7 +791,7 @@ mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl");
|
||||
|
||||
MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
|
||||
MAC_POLICY_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
|
||||
MAC_CHECK_PROBE4(vnode_check_setacl, error, cred, vp, type, acl);
|
||||
|
||||
return (error);
|
||||
@ -806,7 +808,7 @@ mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr");
|
||||
|
||||
MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
|
||||
MAC_POLICY_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
|
||||
attrnamespace, name);
|
||||
MAC_CHECK_PROBE4(vnode_check_setextattr, error, cred, vp,
|
||||
attrnamespace, name);
|
||||
@ -824,7 +826,7 @@ mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags");
|
||||
|
||||
MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
|
||||
MAC_POLICY_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
|
||||
MAC_CHECK_PROBE3(vnode_check_setflags, error, cred, vp, flags);
|
||||
|
||||
return (error);
|
||||
@ -840,7 +842,7 @@ mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode");
|
||||
|
||||
MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
|
||||
MAC_POLICY_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
|
||||
MAC_CHECK_PROBE3(vnode_check_setmode, error, cred, vp, mode);
|
||||
|
||||
return (error);
|
||||
@ -857,7 +859,7 @@ mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner");
|
||||
|
||||
MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
|
||||
MAC_POLICY_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
|
||||
MAC_CHECK_PROBE4(vnode_check_setowner, error, cred, vp, uid, gid);
|
||||
|
||||
return (error);
|
||||
@ -874,7 +876,7 @@ mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes");
|
||||
|
||||
MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
|
||||
MAC_POLICY_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
|
||||
mtime);
|
||||
MAC_CHECK_PROBE4(vnode_check_setutimes, error, cred, vp, &atime,
|
||||
&mtime);
|
||||
@ -893,7 +895,7 @@ mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat");
|
||||
|
||||
MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_stat, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
MAC_CHECK_PROBE3(vnode_check_stat, error, active_cred, file_cred,
|
||||
vp);
|
||||
@ -913,7 +915,7 @@ mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink");
|
||||
|
||||
MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
|
||||
vp->v_label, cnp);
|
||||
MAC_CHECK_PROBE4(vnode_check_unlink, error, cred, dvp, vp, cnp);
|
||||
|
||||
@ -931,7 +933,7 @@ mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write");
|
||||
|
||||
MAC_CHECK(vnode_check_write, active_cred, file_cred, vp,
|
||||
MAC_POLICY_CHECK(vnode_check_write, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred,
|
||||
vp);
|
||||
@ -944,14 +946,14 @@ mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
|
||||
struct label *newlabel)
|
||||
{
|
||||
|
||||
MAC_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel);
|
||||
MAC_POLICY_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel);
|
||||
}
|
||||
|
||||
void
|
||||
mac_mount_create(struct ucred *cred, struct mount *mp)
|
||||
{
|
||||
|
||||
MAC_PERFORM(mount_create, cred, mp, mp->mnt_label);
|
||||
MAC_POLICY_PERFORM(mount_create, cred, mp, mp->mnt_label);
|
||||
}
|
||||
|
||||
MAC_CHECK_PROBE_DEFINE2(mount_check_stat, "struct ucred *",
|
||||
@ -962,7 +964,7 @@ mac_mount_check_stat(struct ucred *cred, struct mount *mount)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK_NOSLEEP(mount_check_stat, cred, mount, mount->mnt_label);
|
||||
MAC_POLICY_CHECK_NOSLEEP(mount_check_stat, cred, mount, mount->mnt_label);
|
||||
MAC_CHECK_PROBE2(mount_check_stat, error, cred, mount);
|
||||
|
||||
return (error);
|
||||
@ -973,7 +975,7 @@ mac_devfs_create_device(struct ucred *cred, struct mount *mp,
|
||||
struct cdev *dev, struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(devfs_create_device, cred, mp, dev, de,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(devfs_create_device, cred, mp, dev, de,
|
||||
de->de_label);
|
||||
}
|
||||
|
||||
@ -982,7 +984,7 @@ mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
|
||||
struct devfs_dirent *dd, struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(devfs_create_symlink, cred, mp, dd,
|
||||
MAC_POLICY_PERFORM_NOSLEEP(devfs_create_symlink, cred, mp, dd,
|
||||
dd->de_label, de, de->de_label);
|
||||
}
|
||||
|
||||
@ -991,8 +993,8 @@ mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
|
||||
struct devfs_dirent *de)
|
||||
{
|
||||
|
||||
MAC_PERFORM_NOSLEEP(devfs_create_directory, mp, dirname, dirnamelen,
|
||||
de, de->de_label);
|
||||
MAC_POLICY_PERFORM_NOSLEEP(devfs_create_directory, mp, dirname,
|
||||
dirnamelen, de, de->de_label);
|
||||
}
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user