git: 8deb442cf7ab - main - mac: Honor order when registering MAC modules.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 18 Apr 2023 19:37:05 UTC
The branch main has been updated by stevek:
URL: https://cgit.FreeBSD.org/src/commit/?id=8deb442cf7ab2b1097a9186c895017a737d84370
commit 8deb442cf7ab2b1097a9186c895017a737d84370
Author: Steve Kiernan <stevek@juniper.net>
AuthorDate: 2023-04-02 22:17:17 +0000
Commit: Stephen J. Kiernan <stevek@FreeBSD.org>
CommitDate: 2023-04-18 19:36:27 +0000
mac: Honor order when registering MAC modules.
Ensure MAC modules are inserted in order that they are registered.
Reviewed by: markj
Obtained from: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D39589
---
sys/security/mac/mac_framework.c | 38 ++++++++++++++++----------------------
1 file changed, 16 insertions(+), 22 deletions(-)
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 8fc67f6c1b85..5231783ab454 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -519,7 +519,8 @@ mac_policy_fastpath_unregister(struct mac_policy_conf *mpc)
static int
mac_policy_register(struct mac_policy_conf *mpc)
{
- struct mac_policy_conf *tmpc;
+ struct mac_policy_list_head *mpc_list;
+ struct mac_policy_conf *last_mpc, *tmpc;
int error, slot, static_entry;
error = 0;
@@ -539,19 +540,14 @@ mac_policy_register(struct mac_policy_conf *mpc)
static_entry = (!mac_late &&
!(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK));
- if (static_entry) {
- LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) {
- if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
- error = EEXIST;
- goto out;
- }
- }
- } else {
- LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
- if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
- error = EEXIST;
- goto out;
- }
+ mpc_list = (static_entry) ? &mac_static_policy_list :
+ &mac_policy_list;
+ last_mpc = NULL;
+ LIST_FOREACH(tmpc, mpc_list, mpc_list) {
+ last_mpc = tmpc;
+ if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
+ error = EEXIST;
+ goto out;
}
}
if (mpc->mpc_field_off != NULL) {
@@ -567,16 +563,14 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
/*
- * If we're loading a MAC module after the framework has initialized,
- * it has to go into the dynamic list. If we're loading it before
- * we've finished initializing, it can go into the static list with
- * weaker locker requirements.
+ * Some modules may depend on the operations of its dependencies.
+ * Inserting modules in order of registration ensures operations
+ * that work on the module list retain dependency order.
*/
- if (static_entry)
- LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list);
+ if (last_mpc == NULL)
+ LIST_INSERT_HEAD(mpc_list, mpc, mpc_list);
else
- LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
-
+ LIST_INSERT_AFTER(last_mpc, mpc, mpc_list);
/*
* Per-policy initialization. Currently, this takes place under the
* exclusive lock, so policies must not sleep in their init method.