svn commit: r238285 - stable/9/sys/security/mac

Robert Watson rwatson at FreeBSD.org
Mon Jul 9 08:42:54 UTC 2012 

Author: rwatson
Date: Mon Jul  9 08:42:54 2012
New Revision: 238285
URL: http://svn.freebsd.org/changeset/base/238285

Log:
  Merge r234032 from head to stable/9:
  
    When allocation of labels on files is implicitly disabled due to MAC
    policy configuration, avoid leaking resources following failed calls
    to get and set MAC labels by file descriptor.
  
    Reported by:	Mateusz Guzik <mjguzik at gmail.com> + clang scan-build
  
  Approved by:	re (kib)

Modified:
  stable/9/sys/security/mac/mac_syscalls.c
Directory Properties:
  stable/9/sys/   (props changed)

Modified: stable/9/sys/security/mac/mac_syscalls.c
==============================================================================
--- stable/9/sys/security/mac/mac_syscalls.c	Mon Jul  9 08:37:59 2012	(r238284)
+++ stable/9/sys/security/mac/mac_syscalls.c	Mon Jul  9 08:42:54 2012	(r238285)
@@ -256,8 +256,10 @@ sys___mac_get_fd(struct thread *td, stru
 	switch (fp->f_type) {
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
-		if (!(mac_labeled & MPC_OBJECT_VNODE))
-			return (EINVAL);
+		if (!(mac_labeled & MPC_OBJECT_VNODE)) {
+			error = EINVAL;
+			goto out_fdrop;
+		}
 		vp = fp->f_vnode;
 		intlabel = mac_vnode_label_alloc();
 		vfslocked = VFS_LOCK_GIANT(vp->v_mount);
@@ -271,8 +273,10 @@ sys___mac_get_fd(struct thread *td, stru
 		break;
 
 	case DTYPE_PIPE:
-		if (!(mac_labeled & MPC_OBJECT_PIPE))
-			return (EINVAL);
+		if (!(mac_labeled & MPC_OBJECT_PIPE)) {
+			error = EINVAL;
+			goto out_fdrop;
+		}
 		pipe = fp->f_data;
 		intlabel = mac_pipe_label_alloc();
 		PIPE_LOCK(pipe);
@@ -284,8 +288,10 @@ sys___mac_get_fd(struct thread *td, stru
 		break;
 
 	case DTYPE_SOCKET:
-		if (!(mac_labeled & MPC_OBJECT_SOCKET))
-			return (EINVAL);
+		if (!(mac_labeled & MPC_OBJECT_SOCKET)) {
+			error = EINVAL;
+			goto out_fdrop;
+		}
 		so = fp->f_data;
 		intlabel = mac_socket_label_alloc(M_WAITOK);
 		SOCK_LOCK(so);
@@ -299,10 +305,10 @@ sys___mac_get_fd(struct thread *td, stru
 	default:
 		error = EINVAL;
 	}
-	fdrop(fp, td);
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
-
+out_fdrop:
+	fdrop(fp, td);
 out:
 	free(buffer, M_MACTEMP);
 	free(elements, M_MACTEMP);
@@ -450,8 +456,10 @@ sys___mac_set_fd(struct thread *td, stru
 	switch (fp->f_type) {
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
-		if (!(mac_labeled & MPC_OBJECT_VNODE))
-			return (EINVAL);
+		if (!(mac_labeled & MPC_OBJECT_VNODE)) {
+			error = EINVAL;
+			goto out_fdrop;
+		}
 		intlabel = mac_vnode_label_alloc();
 		error = mac_vnode_internalize_label(intlabel, buffer);
 		if (error) {
@@ -475,8 +483,10 @@ sys___mac_set_fd(struct thread *td, stru
 		break;
 
 	case DTYPE_PIPE:
-		if (!(mac_labeled & MPC_OBJECT_PIPE))
-			return (EINVAL);
+		if (!(mac_labeled & MPC_OBJECT_PIPE)) {
+			error = EINVAL;
+			goto out_fdrop;
+		}
 		intlabel = mac_pipe_label_alloc();
 		error = mac_pipe_internalize_label(intlabel, buffer);
 		if (error == 0) {
@@ -490,8 +500,10 @@ sys___mac_set_fd(struct thread *td, stru
 		break;
 
 	case DTYPE_SOCKET:
-		if (!(mac_labeled & MPC_OBJECT_SOCKET))
-			return (EINVAL);
+		if (!(mac_labeled & MPC_OBJECT_SOCKET)) {
+			error = EINVAL;
+			goto out_fdrop;
+		}
 		intlabel = mac_socket_label_alloc(M_WAITOK);
 		error = mac_socket_internalize_label(intlabel, buffer);
 		if (error == 0) {
@@ -505,6 +517,7 @@ sys___mac_set_fd(struct thread *td, stru
 	default:
 		error = EINVAL;
 	}
+out_fdrop:
 	fdrop(fp, td);
 out:
 	free(buffer, M_MACTEMP);

More information about the svn-src-all mailing list