Index: security/mac/mac_framework.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_framework.c,v retrieving revision 1.136 diff -u -r1.136 mac_framework.c --- security/mac/mac_framework.c 1 Jan 2007 01:40:29 -0000 1.136 +++ security/mac/mac_framework.c 5 Aug 2008 16:57:53 -0000 @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. + * Copyright (c) 2008 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -125,22 +126,12 @@ static int mac_late = 0; /* - * Flag to indicate whether or not we should allocate label storage for new - * mbufs. Since most dynamic policies we currently work with don't rely on - * mbuf labeling, try to avoid paying the cost of mtag allocation unless - * specifically notified of interest. One result of this is that if a - * dynamically loaded policy requests mbuf labels, it must be able to deal - * with a NULL label being returned on any mbufs that were already in flight - * when the policy was loaded. Since the policy already has to deal with - * uninitialized labels, this probably won't be a problem. Note: currently - * no locking. Will this be a problem? - * - * In the future, we may want to allow objects to request labeling on a per- - * object type basis, rather than globally for all objects. + * Each policy declares a mask of object types requiring labels to be + * allocated for them. For convenience, we combine and cache the bitwise or + * of the per-policy object flags to track whether we will allocate a label + * for an object type at run-time. */ -#ifndef MAC_ALWAYS_LABEL_MBUF -int mac_labelmbufs = 0; -#endif +uint64_t mac_labeled; MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); @@ -344,23 +335,15 @@ static void mac_policy_updateflags(void) { -#ifndef MAC_ALWAYS_LABEL_MBUF - struct mac_policy_conf *tmpc; - int labelmbufs; + struct mac_policy_conf *mpc; mac_policy_assert_exclusive(); - labelmbufs = 0; - LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { - if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) - labelmbufs++; - } - LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { - if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) - labelmbufs++; - } - mac_labelmbufs = (labelmbufs != 0); -#endif + mac_labeled = 0; + LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) + mac_labeled |= mpc->mpc_labeled; + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) + mac_labeled |= mpc->mpc_labeled; } static int Index: security/mac/mac_inet.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_inet.c,v retrieving revision 1.20 diff -u -r1.20 mac_inet.c --- security/mac/mac_inet.c 13 Jun 2008 22:14:15 -0000 1.20 +++ security/mac/mac_inet.c 5 Aug 2008 17:46:28 -0000 @@ -91,9 +91,12 @@ mac_inpcb_init(struct inpcb *inp, int flag) { - inp->inp_label = mac_inpcb_label_alloc(flag); - if (inp->inp_label == NULL) - return (ENOMEM); + if (mac_labeled & MPC_OBJECT_INPCB) { + inp->inp_label = mac_inpcb_label_alloc(flag); + if (inp->inp_label == NULL) + return (ENOMEM); + } else + inp->inp_label = NULL; return (0); } @@ -120,9 +123,12 @@ mac_ipq_init(struct ipq *q, int flag) { - q->ipq_label = mac_ipq_label_alloc(flag); - if (q->ipq_label == NULL) - return (ENOMEM); + if (mac_labeled & MPC_OBJECT_IPQ) { + q->ipq_label = mac_ipq_label_alloc(flag); + if (q->ipq_label == NULL) + return (ENOMEM); + } else + ipq->ipq_label = NULL; return (0); } @@ -138,8 +144,10 @@ mac_inpcb_destroy(struct inpcb *inp) { - mac_inpcb_label_free(inp->inp_label); - inp->inp_label = NULL; + if (inp->inp_label != NULL) { + mac_inpcb_label_free(inp->inp_label); + inp->inp_label = NULL; + } } static void @@ -154,8 +162,10 @@ mac_ipq_destroy(struct ipq *q) { - mac_ipq_label_free(q->ipq_label); - q->ipq_label = NULL; + if (ipq->ipq_label != NULL) { + mac_ipq_label_free(q->ipq_label); + q->ipq_label = NULL; + } } void @@ -349,9 +359,11 @@ mac_syncache_destroy(struct label **label) { - MAC_PERFORM(syncache_destroy_label, *label); - mac_labelzone_free(*label); - *label = NULL; + if (*label != NULL) { + MAC_PERFORM(syncache_destroy_label, *label); + mac_labelzone_free(*label); + *label = NULL; + } } int @@ -359,21 +371,25 @@ { int error; - *label = mac_labelzone_alloc(M_NOWAIT); - if (*label == NULL) - return (ENOMEM); - /* - * Since we are holding the inpcb locks the policy can not allocate - * policy specific label storage using M_WAITOK. So we need to do a - * MAC_CHECK instead of the typical MAC_PERFORM so we can propagate - * allocation failures back to the syncache code. - */ - MAC_CHECK(syncache_init_label, *label, M_NOWAIT); - if (error) { - MAC_PERFORM(syncache_destroy_label, *label); - mac_labelzone_free(*label); - } - return (error); + if (mac_labeled & MPC_OBJECT_SYNCACHE) { + *label = mac_labelzone_alloc(M_NOWAIT); + if (*label == NULL) + return (ENOMEM); + /* + * Since we are holding the inpcb locks the policy can not + * allocate policy specific label storage using M_WAITOK. So + * we need to do a MAC_CHECK instead of the typical + * MAC_PERFORM so we can propagate allocation failures back + * to the syncache code. + */ + MAC_CHECK(syncache_init_label, *label, M_NOWAIT); + if (error) { + MAC_PERFORM(syncache_destroy_label, *label); + mac_labelzone_free(*label); + } + return (error); + } else + *label = NULL; } void Index: security/mac/mac_internal.h =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_internal.h,v retrieving revision 1.124 diff -u -r1.124 mac_internal.h --- security/mac/mac_internal.h 13 Apr 2008 21:45:52 -0000 1.124 +++ security/mac/mac_internal.h 22 May 2008 11:17:13 -0000 @@ -88,9 +88,7 @@ */ extern struct mac_policy_list_head mac_policy_list; extern struct mac_policy_list_head mac_static_policy_list; -#ifndef MAC_ALWAYS_LABEL_MBUF -extern int mac_labelmbufs; -#endif +extern uint64_t mac_labeled; extern struct mtx mac_ifnet_mtx; /* Index: security/mac/mac_net.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_net.c,v retrieving revision 1.131 diff -u -r1.131 mac_net.c --- security/mac/mac_net.c 28 Oct 2007 17:55:56 -0000 1.131 +++ security/mac/mac_net.c 5 Aug 2008 17:47:27 -0000 @@ -112,7 +112,10 @@ mac_bpfdesc_init(struct bpf_d *d) { - d->bd_label = mac_bpfdesc_label_alloc(); + if (mac_labeled & MPC_OBJECT_BPFDESC) + d->bd_label = mac_bpfdesc_label_alloc(); + else + d->bd_label = NULL; } static struct label * @@ -129,7 +132,10 @@ mac_ifnet_init(struct ifnet *ifp) { - ifp->if_label = mac_ifnet_label_alloc(); + if (mac_labeled & MPC_OBJECT_IFNET) + ifp->if_label = mac_ifnet_label_alloc(); + else + ifp->if_label = NULL; } int @@ -157,24 +163,18 @@ M_ASSERTPKTHDR(m); -#ifndef MAC_ALWAYS_LABEL_MBUF - /* - * If conditionally allocating mbuf labels, don't allocate unless - * they are required. - */ - if (!mac_labelmbufs) - return (0); -#endif - tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), - flag); - if (tag == NULL) - return (ENOMEM); - error = mac_mbuf_tag_init(tag, flag); - if (error) { - m_tag_free(tag); - return (error); + if (mac_labeled & MPC_OBJECT_MBUF) { + tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), + flag); + if (tag == NULL) + return (ENOMEM); + error = mac_mbuf_tag_init(tag, flag); + if (error) { + m_tag_free(tag); + return (error); + } + m_tag_prepend(m, tag); } - m_tag_prepend(m, tag); return (0); } @@ -190,8 +190,10 @@ mac_bpfdesc_destroy(struct bpf_d *d) { - mac_bpfdesc_label_free(d->bd_label); - d->bd_label = NULL; + if (d->bd_label != NULL) { + mac_bpfdesc_label_free(d->bd_label); + d->bd_label = NULL; + } } static void @@ -206,8 +208,10 @@ mac_ifnet_destroy(struct ifnet *ifp) { - mac_ifnet_label_free(ifp->if_label); - ifp->if_label = NULL; + if (ifp->if_label != NULL) { + mac_ifnet_label_free(ifp->if_label); + ifp->if_label = NULL; + } } void Index: security/mac/mac_pipe.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_pipe.c,v retrieving revision 1.113 diff -u -r1.113 mac_pipe.c --- security/mac/mac_pipe.c 24 Oct 2007 19:04:00 -0000 1.113 +++ security/mac/mac_pipe.c 22 May 2008 12:17:25 -0000 @@ -68,7 +68,10 @@ mac_pipe_init(struct pipepair *pp) { - pp->pp_label = mac_pipe_label_alloc(); + if (mac_labeled & MPC_OBJECT_PIPE) + pp->pp_label = mac_pipe_label_alloc(); + else + pp->pp_label = NULL; } void @@ -83,8 +86,10 @@ mac_pipe_destroy(struct pipepair *pp) { - mac_pipe_label_free(pp->pp_label); - pp->pp_label = NULL; + if (pp->pp_label != NULL) { + mac_pipe_label_free(pp->pp_label); + pp->pp_label = NULL; + } } void Index: security/mac/mac_policy.h =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_policy.h,v retrieving revision 1.110 diff -u -r1.110 mac_policy.h --- security/mac/mac_policy.h 27 Jun 2008 05:39:04 -0000 1.110 +++ security/mac/mac_policy.h 5 Aug 2008 17:47:10 -0000 @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. + * Copyright (c) 2008 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -929,17 +930,44 @@ int mpc_loadtime_flags; /* flags */ int *mpc_field_off; /* security field */ int mpc_runtime_flags; /* flags */ + int _mpc_spare1; /* Spare. */ + uint64_t mpc_labeled; /* Labeled objects. */ + uint64_t _mpc_spare2; /* Spare. */ + void *_mpc_spare3; /* Spare. */ LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ }; /* Flags for the mpc_loadtime_flags field. */ #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 -#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 /* Flags for the mpc_runtime_flags field. */ #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 +/* + * Flags for mpc_labeled declaring which objects should have labels allocated + * for them by the MAC Framework. + */ +#define MPC_OBJECT_CRED 0x0000000000000001 +#define MPC_OBJECT_PROC 0x0000000000000002 +#define MPC_OBJECT_VNODE 0x0000000000000004 +#define MPC_OBJECT_INPCB 0x0000000000000008 +#define MPC_OBJECT_SOCKET 0x0000000000000010 +#define MPC_OBJECT_DEVFS 0x0000000000000020 +#define MPC_OBJECT_MBUF 0x0000000000000040 +#define MPC_OBJECT_IPQ 0x0000000000000080 +#define MPC_OBJECT_IFNET 0x0000000000000100 +#define MPC_OBJECT_BPFDESC 0x0000000000000200 +#define MPC_OBJECT_PIPE 0x0000000000000400 +#define MPC_OBJECT_MOUNT 0x0000000000000800 +#define MPC_OBJECT_POSIXSEM 0x0000000000001000 +#define MPC_OBJECT_POSIXSHM 0x0000000000002000 +#define MPC_OBJECT_SYSVMSG 0x0000000000004000 +#define MPC_OBJECT_SYSVMSQ 0x0000000000008000 +#define MPC_OBJECT_SYSVSEM 0x0000000000010000 +#define MPC_OBJECT_SYSVSHM 0x0000000000020000 +#define MPC_OBJECT_SYNCACHE 0x0000000000040000 + /*- * The TrustedBSD MAC Framework has a major version number, MAC_VERSION, * which defines the ABI of the Framework present in the kernel (and depended @@ -955,14 +983,15 @@ */ #define MAC_VERSION 4 -#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \ +#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted, \ + labeled) \ static struct mac_policy_conf mpname##_mac_policy_conf = { \ - #mpname, \ - mpfullname, \ - mpops, \ - mpflags, \ - privdata_wanted, \ - 0, \ + .mpc_name = #mpname, \ + .mpc_fullname = mpfullname, \ + .mpc_ops = mpops, \ + .mpc_loadtime_flags = mpflags, \ + .mpc_field_off = privdata_wanted, \ + .mpc_labeled = labeled, \ }; \ static moduledata_t mpname##_mod = { \ #mpname, \ Index: security/mac/mac_posix_sem.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_posix_sem.c,v retrieving revision 1.14 diff -u -r1.14 mac_posix_sem.c --- security/mac/mac_posix_sem.c 27 Jun 2008 05:39:04 -0000 1.14 +++ security/mac/mac_posix_sem.c 28 Jun 2008 22:55:18 -0000 @@ -64,7 +64,10 @@ mac_posixsem_init(struct ksem *ks) { - ks->ks_label = mac_posixsem_label_alloc(); + if (mac_labeled & MPC_OBJECT_POSIXSEM) + ks->ks_label = mac_posixsem_label_alloc(); + else + ks->ks_label = NULL; } static void @@ -79,8 +82,10 @@ mac_posixsem_destroy(struct ksem *ks) { - mac_posixsem_label_free(ks->ks_label); - ks->ks_label = NULL; + if (ks->ks_label != NULL) { + mac_posixsem_label_free(ks->ks_label); + ks->ks_label = NULL; + } } void Index: security/mac/mac_posix_shm.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_posix_shm.c,v retrieving revision 1.1 diff -u -r1.1 mac_posix_shm.c --- security/mac/mac_posix_shm.c 8 Jan 2008 21:58:15 -0000 1.1 +++ security/mac/mac_posix_shm.c 22 May 2008 12:17:57 -0000 @@ -63,7 +63,10 @@ mac_posixshm_init(struct shmfd *shmfd) { - shmfd->shm_label = mac_posixshm_label_alloc(); + if (mac_labeled & MPC_OBJECT_POSIXSHM) + shmfd->shm_label = mac_posixshm_label_alloc(); + else + shmfd->shm_label = NULL; } static void @@ -78,8 +81,10 @@ mac_posixshm_destroy(struct shmfd *shmfd) { - mac_posixshm_label_free(shmfd->shm_label); - shmfd->shm_label = NULL; + if (shmfd->shm_label != NULL) { + mac_posixshm_label_free(shmfd->shm_label); + shmfd->shm_label = NULL; + } } void Index: security/mac/mac_process.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_process.c,v retrieving revision 1.122 diff -u -r1.122 mac_process.c --- security/mac/mac_process.c 13 Jan 2008 14:44:13 -0000 1.122 +++ security/mac/mac_process.c 5 Aug 2008 17:47:41 -0000 @@ -97,7 +97,10 @@ mac_cred_init(struct ucred *cred) { - cred->cr_label = mac_cred_label_alloc(); + if (mac_labeled & MPC_OBJECT_CRED) + cred->cr_label = mac_cred_label_alloc(); + else + cred->cr_label = NULL; } static struct label * @@ -114,7 +117,10 @@ mac_proc_init(struct proc *p) { - p->p_label = mac_proc_label_alloc(); + if (mac_labeled & MPC_OBJECT_PROC) + p->p_label = mac_proc_label_alloc(); + else + p->p_label = NULL; } void @@ -129,8 +135,10 @@ mac_cred_destroy(struct ucred *cred) { - mac_cred_label_free(cred->cr_label); - cred->cr_label = NULL; + if (cred->cr_label != NULL) { + mac_cred_label_free(cred->cr_label); + cred->cr_label = NULL; + } } static void @@ -145,8 +153,10 @@ mac_proc_destroy(struct proc *p) { - mac_proc_label_free(p->p_label); - p->p_label = NULL; + if (p->p_label != NULL) { + mac_proc_label_free(p->p_label); + p->p_label = NULL; + } } int Index: security/mac/mac_socket.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_socket.c,v retrieving revision 1.11 diff -u -r1.11 mac_socket.c --- security/mac/mac_socket.c 24 Oct 2007 19:04:01 -0000 1.11 +++ security/mac/mac_socket.c 5 Aug 2008 17:47:49 -0000 @@ -126,14 +126,19 @@ mac_socket_init(struct socket *so, int flag) { - so->so_label = mac_socket_label_alloc(flag); - if (so->so_label == NULL) - return (ENOMEM); - so->so_peerlabel = mac_socketpeer_label_alloc(flag); - if (so->so_peerlabel == NULL) { - mac_socket_label_free(so->so_label); + if (mac_labeled & MPC_OBJECT_SOCKET) { + so->so_label = mac_socket_label_alloc(flag); + if (so->so_label == NULL) + return (ENOMEM); + so->so_peerlabel = mac_socketpeer_label_alloc(flag); + if (so->so_peerlabel == NULL) { + mac_socket_label_free(so->so_label); + so->so_label = NULL; + return (ENOMEM); + } + } else { so->so_label = NULL; - return (ENOMEM); + so->so_peerlabel = NULL; } return (0); } @@ -158,10 +163,12 @@ mac_socket_destroy(struct socket *so) { - mac_socket_label_free(so->so_label); - so->so_label = NULL; - mac_socketpeer_label_free(so->so_peerlabel); - so->so_peerlabel = NULL; + if (so->so_label != NULL) { + mac_socket_label_free(so->so_label); + so->so_label = NULL; + mac_socketpeer_label_free(so->so_peerlabel); + so->so_peerlabel = NULL; + } } void Index: security/mac/mac_sysv_msg.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_sysv_msg.c,v retrieving revision 1.10 diff -u -r1.10 mac_sysv_msg.c --- security/mac/mac_sysv_msg.c 24 Oct 2007 19:04:01 -0000 1.10 +++ security/mac/mac_sysv_msg.c 22 May 2008 11:38:34 -0000 @@ -70,7 +70,10 @@ mac_sysvmsg_init(struct msg *msgptr) { - msgptr->label = mac_sysv_msgmsg_label_alloc(); + if (mac_labeled & MPC_OBJECT_SYSVMSG) + msgptr->label = mac_sysv_msgmsg_label_alloc(); + else + msgptr->label = NULL; } static struct label * @@ -87,7 +90,10 @@ mac_sysvmsq_init(struct msqid_kernel *msqkptr) { - msqkptr->label = mac_sysv_msgqueue_label_alloc(); + if (mac_labeled & MPC_OBJECT_SYSVMSQ) + msqkptr->label = mac_sysv_msgqueue_label_alloc(); + else + msqkptr->label = NULL; } static void @@ -102,8 +108,10 @@ mac_sysvmsg_destroy(struct msg *msgptr) { - mac_sysv_msgmsg_label_free(msgptr->label); - msgptr->label = NULL; + if (msgptr->label != NULL) { + mac_sysv_msgmsg_label_free(msgptr->label); + msgptr->label = NULL; + } } static void @@ -118,8 +126,10 @@ mac_sysvmsq_destroy(struct msqid_kernel *msqkptr) { - mac_sysv_msgqueue_label_free(msqkptr->label); - msqkptr->label = NULL; + if (msqkptr->label != NULL) { + mac_sysv_msgqueue_label_free(msqkptr->label); + msqkptr->label = NULL; + } } void Index: security/mac/mac_sysv_sem.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_sysv_sem.c,v retrieving revision 1.9 diff -u -r1.9 mac_sysv_sem.c --- security/mac/mac_sysv_sem.c 24 Oct 2007 19:04:01 -0000 1.9 +++ security/mac/mac_sysv_sem.c 22 May 2008 11:38:37 -0000 @@ -70,7 +70,10 @@ mac_sysvsem_init(struct semid_kernel *semakptr) { - semakptr->label = mac_sysv_sem_label_alloc(); + if (mac_labeled & MPC_OBJECT_SYSVSEM) + semakptr->label = mac_sysv_sem_label_alloc(); + else + semakptr->label = NULL; } static void @@ -85,8 +88,10 @@ mac_sysvsem_destroy(struct semid_kernel *semakptr) { - mac_sysv_sem_label_free(semakptr->label); - semakptr->label = NULL; + if (semakptr->label != NULL) { + mac_sysv_sem_label_free(semakptr->label); + semakptr->label = NULL; + } } void Index: security/mac/mac_sysv_shm.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_sysv_shm.c,v retrieving revision 1.8 diff -u -r1.8 mac_sysv_shm.c --- security/mac/mac_sysv_shm.c 24 Oct 2007 19:04:01 -0000 1.8 +++ security/mac/mac_sysv_shm.c 22 May 2008 11:38:39 -0000 @@ -70,7 +70,10 @@ mac_sysvshm_init(struct shmid_kernel *shmsegptr) { - shmsegptr->label = mac_sysv_shm_label_alloc(); + if (mac_labeled & MPC_OBJECT_SYSVSHM) + shmsegptr->label = mac_sysv_shm_label_alloc(); + else + shmsegptr->label = NULL; } static void @@ -85,8 +88,10 @@ mac_sysvshm_destroy(struct shmid_kernel *shmsegptr) { - mac_sysv_shm_label_free(shmsegptr->label); - shmsegptr->label = NULL; + if (shmsegptr->label != NULL) { + mac_sysv_shm_label_free(shmsegptr->label); + shmsegptr->label = NULL; + } } void Index: security/mac/mac_vfs.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_vfs.c,v retrieving revision 1.125 diff -u -r1.125 mac_vfs.c --- security/mac/mac_vfs.c 25 Oct 2007 12:34:13 -0000 1.125 +++ security/mac/mac_vfs.c 5 Aug 2008 17:48:00 -0000 @@ -94,7 +94,10 @@ mac_devfs_init(struct devfs_dirent *de) { - de->de_label = mac_devfs_label_alloc(); + if (mac_labeled & MPC_OBJECT_DEVFS) + de->de_label = mac_devfs_label_alloc(); + else + de->de_label = NULL; } static struct label * @@ -111,7 +114,10 @@ mac_mount_init(struct mount *mp) { - mp->mnt_label = mac_mount_label_alloc(); + if (mac_labeled & MPC_OBJECT_MOUNT) + mp->mnt_label = mac_mount_label_alloc(); + else + mp->mnt_label = NULL; } struct label * @@ -128,7 +134,10 @@ mac_vnode_init(struct vnode *vp) { - vp->v_label = mac_vnode_label_alloc(); + if (mac_labeled & MPC_OBJECT_VNODE) + vp->v_label = mac_vnode_label_alloc(); + else + vp->v_label = NULL; } static void @@ -143,8 +152,10 @@ mac_devfs_destroy(struct devfs_dirent *de) { - mac_devfs_label_free(de->de_label); - de->de_label = NULL; + if (de->de_label != NULL) { + mac_devfs_label_free(de->de_label); + de->de_label = NULL; + } } static void @@ -159,8 +170,10 @@ mac_mount_destroy(struct mount *mp) { - mac_mount_label_free(mp->mnt_label); - mp->mnt_label = NULL; + if (mp->mnt_label != NULL) { + mac_mount_label_free(mp->mnt_label); + mp->mnt_label = NULL; + } } void @@ -175,8 +188,10 @@ mac_vnode_destroy(struct vnode *vp) { - mac_vnode_label_free(vp->v_label); - vp->v_label = NULL; + if (vp->v_label != NULL) { + mac_vnode_label_free(vp->v_label); + vp->v_label = NULL; + } } void Index: security/mac_biba/mac_biba.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_biba/mac_biba.c,v retrieving revision 1.120 diff -u -r1.120 mac_biba.c --- security/mac_biba/mac_biba.c 27 Jun 2008 05:39:04 -0000 1.120 +++ security/mac_biba/mac_biba.c 5 Aug 2008 17:48:11 -0000 @@ -3477,5 +3477,25 @@ .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr, }; +#define BIBA_OBJECTS (MPC_OBJECT_CRED | \ + /* MPC_OBJECT_PROC | */ \ + MPC_OBJECT_VNODE | \ + MPC_OBJECT_INPCB | \ + MPC_OBJECT_SOCKET | \ + MPC_OBJECT_DEVFS | \ + MPC_OBJECT_MBUF | \ + MPC_OBJECT_IPQ | \ + MPC_OBJECT_IFNET | \ + MPC_OBJECT_BPFDESC | \ + MPC_OBJECT_PIPE | \ + MPC_OBJECT_MOUNT | \ + MPC_OBJECT_POSIXSEM | \ + /* MPC_OBJECT_POSIXSHM | */ \ + MPC_OBJECT_SYSVMSG | \ + MPC_OBJECT_SYSVMSQ | \ + MPC_OBJECT_SYSVSEM | \ + MPC_OBJECT_SYSVSHM | \ + MPC_OBJECT_SYNCACHE) + MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", - MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &biba_slot); + MPC_LOADTIME_FLAG_NOTLATE, &biba_slot, BIBA_OBJECTS); Index: security/mac_bsdextended/mac_bsdextended.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_bsdextended/mac_bsdextended.c,v retrieving revision 1.43 diff -u -r1.43 mac_bsdextended.c --- security/mac_bsdextended/mac_bsdextended.c 31 Jul 2008 20:49:12 -0000 1.43 +++ security/mac_bsdextended/mac_bsdextended.c 3 Aug 2008 12:32:04 -0000 @@ -748,4 +748,4 @@ }; MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended", - MPC_LOADTIME_FLAG_UNLOADOK, NULL); + MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0); Index: security/mac_ifoff/mac_ifoff.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_ifoff/mac_ifoff.c,v retrieving revision 1.16 diff -u -r1.16 mac_ifoff.c --- security/mac_ifoff/mac_ifoff.c 29 Oct 2007 13:33:05 -0000 1.16 +++ security/mac_ifoff/mac_ifoff.c 22 May 2008 11:13:22 -0000 @@ -170,4 +170,4 @@ }; MAC_POLICY_SET(&ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff", - MPC_LOADTIME_FLAG_UNLOADOK, NULL); + MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0); Index: security/mac_lomac/mac_lomac.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_lomac/mac_lomac.c,v retrieving revision 1.63 diff -u -r1.63 mac_lomac.c --- security/mac_lomac/mac_lomac.c 13 Jun 2008 22:14:15 -0000 1.63 +++ security/mac_lomac/mac_lomac.c 5 Aug 2008 17:46:05 -0000 @@ -2982,5 +2982,25 @@ .mpo_vnode_setlabel_extattr = lomac_vnode_setlabel_extattr, }; +#define LOMAC_OBJECTS (MPC_OBJECT_CRED | \ + /* MPC_OBJECT_PROC | */ \ + MPC_OBJECT_VNODE | \ + MPC_OBJECT_INPCB | \ + MPC_OBJECT_SOCKET | \ + MPC_OBJECT_DEVFS | \ + MPC_OBJECT_MBUF | \ + MPC_OBJECT_IPQ | \ + MPC_OBJECT_IFNET | \ + MPC_OBJECT_BPFDESC | \ + MPC_OBJECT_PIPE | \ + MPC_OBJECT_MOUNT | \ + /* MPC_OBJECT_POSIXSEM | */ \ + /* MPC_OBJECT_POSIXSHM | */ \ + /* MPC_OBJECT_SYSVMSG | */ \ + /* MPC_OBJECT_SYSVMSQ | */ \ + /* MPC_OBJECT_SYSVSEM | */ \ + /* MPC_OBJECT_SYSVSHM | */ \ + MPC_OBJECT_SYNCACHE) + MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC", - MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &lomac_slot); + MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot, LOMAC_OBJECTS); Index: security/mac_mls/mac_mls.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_mls/mac_mls.c,v retrieving revision 1.102 diff -u -r1.102 mac_mls.c --- security/mac_mls/mac_mls.c 27 Jun 2008 05:39:04 -0000 1.102 +++ security/mac_mls/mac_mls.c 5 Aug 2008 17:48:23 -0000 @@ -3096,5 +3096,25 @@ .mpo_vnode_setlabel_extattr = mls_vnode_setlabel_extattr, }; +#define MLS_OBJECTS (MPC_OBJECT_CRED | \ + /* MPC_OBJECT_PROC | */ \ + MPC_OBJECT_VNODE | \ + MPC_OBJECT_INPCB | \ + MPC_OBJECT_SOCKET | \ + MPC_OBJECT_DEVFS | \ + MPC_OBJECT_MBUF | \ + MPC_OBJECT_IPQ | \ + MPC_OBJECT_IFNET | \ + MPC_OBJECT_BPFDESC | \ + MPC_OBJECT_PIPE | \ + MPC_OBJECT_MOUNT | \ + MPC_OBJECT_POSIXSEM | \ + /* MPC_OBJECT_POSIXSHM | */ \ + MPC_OBJECT_SYSVMSG | \ + MPC_OBJECT_SYSVMSQ | \ + MPC_OBJECT_SYSVSEM | \ + MPC_OBJECT_SYSVSHM | \ + MPC_OBJECT_SYNCACHE) + MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS", - MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mls_slot); + MPC_LOADTIME_FLAG_NOTLATE, &mls_slot, MLS_OBJECTS); Index: security/mac_none/mac_none.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_none/mac_none.c,v retrieving revision 1.37 diff -u -r1.37 mac_none.c --- security/mac_none/mac_none.c 25 Oct 2007 11:31:10 -0000 1.37 +++ security/mac_none/mac_none.c 5 Aug 2008 17:48:49 -0000 @@ -53,4 +53,4 @@ }; MAC_POLICY_SET(&none_ops, mac_none, "TrustedBSD MAC/None", - MPC_LOADTIME_FLAG_UNLOADOK, NULL); + MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0); Index: security/mac_partition/mac_partition.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_partition/mac_partition.c,v retrieving revision 1.22 diff -u -r1.22 mac_partition.c --- security/mac_partition/mac_partition.c 29 Oct 2007 13:33:05 -0000 1.22 +++ security/mac_partition/mac_partition.c 5 Aug 2008 17:49:00 -0000 @@ -273,4 +273,4 @@ }; MAC_POLICY_SET(&partition_ops, mac_partition, "TrustedBSD MAC/Partition", - MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot); + MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot, MPC_OBJECT_CRED); Index: security/mac_portacl/mac_portacl.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_portacl/mac_portacl.c,v retrieving revision 1.17 diff -u -r1.17 mac_portacl.c --- security/mac_portacl/mac_portacl.c 25 Oct 2007 11:31:10 -0000 1.17 +++ security/mac_portacl/mac_portacl.c 22 May 2008 11:13:32 -0000 @@ -490,4 +490,4 @@ }; MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl", - MPC_LOADTIME_FLAG_UNLOADOK, NULL); + MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0); Index: security/mac_seeotheruids/mac_seeotheruids.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v retrieving revision 1.18 diff -u -r1.18 mac_seeotheruids.c --- security/mac_seeotheruids/mac_seeotheruids.c 29 Oct 2007 13:33:06 -0000 1.18 +++ security/mac_seeotheruids/mac_seeotheruids.c 22 May 2008 11:13:34 -0000 @@ -172,4 +172,4 @@ }; MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids, - "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL); + "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0); Index: security/mac_stub/mac_stub.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_stub/mac_stub.c,v retrieving revision 1.83 diff -u -r1.83 mac_stub.c --- security/mac_stub/mac_stub.c 27 Jun 2008 05:39:04 -0000 1.83 +++ security/mac_stub/mac_stub.c 5 Aug 2008 17:49:21 -0000 @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. + * Copyright (c) 2008 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -1754,5 +1755,25 @@ .mpo_vnode_setlabel_extattr = stub_vnode_setlabel_extattr, }; +#define STUB_OBJECTS (MPC_OBJECT_CRED | \ + /* XXX: MPC_OBJECT_PROC | */ \ + MPC_OBJECT_VNODE | \ + MPC_OBJECT_INPCB | \ + MPC_OBJECT_SOCKET | \ + MPC_OBJECT_DEVFS | \ + MPC_OBJECT_MBUF | \ + MPC_OBJECT_IPQ | \ + MPC_OBJECT_IFNET | \ + MPC_OBJECT_BPFDESC | \ + MPC_OBJECT_PIPE | \ + MPC_OBJECT_MOUNT | \ + MPC_OBJECT_POSIXSEM | \ + MPC_OBJECT_POSIXSHM | \ + MPC_OBJECT_SYSVMSG | \ + MPC_OBJECT_SYSVMSQ | \ + MPC_OBJECT_SYSVSEM | \ + MPC_OBJECT_SYSVSHM | \ + MPC_OBJECT_SYNCACHE) + MAC_POLICY_SET(&stub_ops, mac_stub, "TrustedBSD MAC/Stub", - MPC_LOADTIME_FLAG_UNLOADOK, NULL); + MPC_LOADTIME_FLAG_UNLOADOK, NULL, STUB_OBJECTS); Index: security/mac_test/mac_test.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_test/mac_test.c,v retrieving revision 1.98 diff -u -r1.98 mac_test.c --- security/mac_test/mac_test.c 27 Jun 2008 05:39:04 -0000 1.98 +++ security/mac_test/mac_test.c 5 Aug 2008 17:49:36 -0000 @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. + * Copyright (c) 2008 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -3046,5 +3047,25 @@ .mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr, }; +#define TEST_OBJECTS (MPC_OBJECT_CRED | \ + MPC_OBJECT_PROC | \ + MPC_OBJECT_VNODE | \ + MPC_OBJECT_INPCB | \ + MPC_OBJECT_SOCKET | \ + MPC_OBJECT_DEVFS | \ + MPC_OBJECT_MBUF | \ + MPC_OBJECT_IPQ | \ + MPC_OBJECT_IFNET | \ + MPC_OBJECT_BPFDESC | \ + MPC_OBJECT_PIPE | \ + MPC_OBJECT_MOUNT | \ + MPC_OBJECT_POSIXSEM | \ + MPC_OBJECT_POSIXSHM | \ + MPC_OBJECT_SYSVMSG | \ + MPC_OBJECT_SYSVMSQ | \ + MPC_OBJECT_SYSVSEM | \ + MPC_OBJECT_SYSVSHM | \ + MPC_OBJECT_SYNCACHE) + MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test", - MPC_LOADTIME_FLAG_UNLOADOK | MPC_LOADTIME_FLAG_LABELMBUFS, &test_slot); + MPC_LOADTIME_FLAG_UNLOADOK, &test_slot, TEST_OBJECTS);