svn commit: r191731 - head/sys/security/mac
Robert Watson
rwatson at FreeBSD.org
Fri May 1 21:05:42 UTC 2009
Author: rwatson
Date: Fri May 1 21:05:40 2009
New Revision: 191731
URL: http://svn.freebsd.org/changeset/base/191731
Log:
Rename MAC Framework-internal macros used to invoke policy entry points:
MAC_BOOLEAN -> MAC_POLICY_BOOLEAN
MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP
MAC_CHECK -> MAC_POLICY_CHECK
MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP
MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE
MAC_GRANT -> MAC_POLICY_GRANT
MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP
MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE
MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK
MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP
This frees up those macro names for use in wrapping calls into the MAC
Framework from the remainder of the kernel.
Obtained from: TrustedBSD Project
Modified:
head/sys/security/mac/mac_atalk.c
head/sys/security/mac/mac_audit.c
head/sys/security/mac/mac_cred.c
head/sys/security/mac/mac_inet.c
head/sys/security/mac/mac_inet6.c
head/sys/security/mac/mac_internal.h
head/sys/security/mac/mac_net.c
head/sys/security/mac/mac_pipe.c
head/sys/security/mac/mac_posix_sem.c
head/sys/security/mac/mac_posix_shm.c
head/sys/security/mac/mac_priv.c
head/sys/security/mac/mac_process.c
head/sys/security/mac/mac_socket.c
head/sys/security/mac/mac_system.c
head/sys/security/mac/mac_sysv_msg.c
head/sys/security/mac/mac_sysv_sem.c
head/sys/security/mac/mac_sysv_shm.c
head/sys/security/mac/mac_vfs.c
Modified: head/sys/security/mac/mac_atalk.c
==============================================================================
--- head/sys/security/mac/mac_atalk.c Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_atalk.c Fri May 1 21:05:40 2009 (r191731)
@@ -64,7 +64,7 @@ mac_netatalk_aarp_send(struct ifnet *ifp
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
- MAC_PERFORM_NOSLEEP(netatalk_aarp_send, ifp, ifp->if_label, m,
+ MAC_POLICY_PERFORM_NOSLEEP(netatalk_aarp_send, ifp, ifp->if_label, m,
mlabel);
MAC_IFNET_UNLOCK(ifp);
}
Modified: head/sys/security/mac/mac_audit.c
==============================================================================
--- head/sys/security/mac/mac_audit.c Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_audit.c Fri May 1 21:05:40 2009 (r191731)
@@ -66,7 +66,7 @@ mac_cred_check_setaudit(struct ucred *cr
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setaudit, cred, ai);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit, cred, ai);
MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai);
return (error);
@@ -80,7 +80,7 @@ mac_cred_check_setaudit_addr(struct ucre
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setaudit_addr, cred, aia);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit_addr, cred, aia);
MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia);
return (error);
@@ -93,7 +93,7 @@ mac_cred_check_setauid(struct ucred *cre
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setauid, cred, auid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setauid, cred, auid);
MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid);
return (error);
@@ -107,7 +107,7 @@ mac_system_check_audit(struct ucred *cre
{
int error;
- MAC_CHECK_NOSLEEP(system_check_audit, cred, record, length);
+ MAC_POLICY_CHECK_NOSLEEP(system_check_audit, cred, record, length);
MAC_CHECK_PROBE3(system_check_audit, error, cred, record, length);
return (error);
@@ -125,7 +125,7 @@ mac_system_check_auditctl(struct ucred *
ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl");
vl = (vp != NULL) ? vp->v_label : NULL;
- MAC_CHECK(system_check_auditctl, cred, vp, vl);
+ MAC_POLICY_CHECK(system_check_auditctl, cred, vp, vl);
MAC_CHECK_PROBE2(system_check_auditctl, error, cred, vp);
return (error);
@@ -138,7 +138,7 @@ mac_system_check_auditon(struct ucred *c
{
int error;
- MAC_CHECK_NOSLEEP(system_check_auditon, cred, cmd);
+ MAC_POLICY_CHECK_NOSLEEP(system_check_auditon, cred, cmd);
MAC_CHECK_PROBE2(system_check_auditon, error, cred, cmd);
return (error);
Modified: head/sys/security/mac/mac_cred.c
==============================================================================
--- head/sys/security/mac/mac_cred.c Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_cred.c Fri May 1 21:05:40 2009 (r191731)
@@ -82,7 +82,7 @@ mac_cred_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
- MAC_PERFORM(cred_init_label, label);
+ MAC_POLICY_PERFORM(cred_init_label, label);
return (label);
}
@@ -100,7 +100,7 @@ void
mac_cred_label_free(struct label *label)
{
- MAC_PERFORM_NOSLEEP(cred_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label);
mac_labelzone_free(label);
}
@@ -127,7 +127,7 @@ void
mac_cred_associate_nfsd(struct ucred *cred)
{
- MAC_PERFORM_NOSLEEP(cred_associate_nfsd, cred);
+ MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred);
}
/*
@@ -138,7 +138,7 @@ void
mac_cred_create_swapper(struct ucred *cred)
{
- MAC_PERFORM_NOSLEEP(cred_create_swapper, cred);
+ MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred);
}
/*
@@ -149,7 +149,7 @@ void
mac_cred_create_init(struct ucred *cred)
{
- MAC_PERFORM_NOSLEEP(cred_create_init, cred);
+ MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred);
}
int
@@ -158,7 +158,7 @@ mac_cred_externalize_label(struct label
{
int error;
- MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
+ MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
return (error);
}
@@ -168,7 +168,7 @@ mac_cred_internalize_label(struct label
{
int error;
- MAC_INTERNALIZE(cred, label, string);
+ MAC_POLICY_INTERNALIZE(cred, label, string);
return (error);
}
@@ -182,7 +182,8 @@ void
mac_cred_copy(struct ucred *src, struct ucred *dest)
{
- MAC_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, dest->cr_label);
+ MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label,
+ dest->cr_label);
}
/*
@@ -194,7 +195,7 @@ void
mac_cred_relabel(struct ucred *cred, struct label *newlabel)
{
- MAC_PERFORM_NOSLEEP(cred_relabel, cred, newlabel);
+ MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel);
}
MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *",
@@ -205,7 +206,7 @@ mac_cred_check_relabel(struct ucred *cre
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel);
MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel);
return (error);
@@ -218,7 +219,7 @@ mac_cred_check_setuid(struct ucred *cred
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setuid, cred, uid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid);
MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid);
return (error);
@@ -231,7 +232,7 @@ mac_cred_check_seteuid(struct ucred *cre
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_seteuid, cred, euid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid);
MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid);
return (error);
@@ -244,7 +245,7 @@ mac_cred_check_setgid(struct ucred *cred
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setgid, cred, gid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid);
MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid);
return (error);
@@ -257,7 +258,7 @@ mac_cred_check_setegid(struct ucred *cre
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setegid, cred, egid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid);
MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid);
return (error);
@@ -271,7 +272,7 @@ mac_cred_check_setgroups(struct ucred *c
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset);
MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset);
return (error);
@@ -285,7 +286,7 @@ mac_cred_check_setreuid(struct ucred *cr
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid);
MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid);
return (error);
@@ -299,7 +300,7 @@ mac_cred_check_setregid(struct ucred *cr
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid);
MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid);
return (error);
@@ -314,7 +315,7 @@ mac_cred_check_setresuid(struct ucred *c
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid);
MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid,
suid);
@@ -330,7 +331,7 @@ mac_cred_check_setresgid(struct ucred *c
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid);
MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid,
sgid);
@@ -345,7 +346,7 @@ mac_cred_check_visible(struct ucred *cr1
{
int error;
- MAC_CHECK_NOSLEEP(cred_check_visible, cr1, cr2);
+ MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2);
MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2);
return (error);
Modified: head/sys/security/mac/mac_inet.c
==============================================================================
--- head/sys/security/mac/mac_inet.c Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_inet.c Fri May 1 21:05:40 2009 (r191731)
@@ -85,11 +85,11 @@ mac_inpcb_label_alloc(int flag)
if (label == NULL)
return (NULL);
if (flag & M_WAITOK)
- MAC_CHECK(inpcb_init_label, label, flag);
+ MAC_POLICY_CHECK(inpcb_init_label, label, flag);
else
- MAC_CHECK_NOSLEEP(inpcb_init_label, label, flag);
+ MAC_POLICY_CHECK_NOSLEEP(inpcb_init_label, label, flag);
if (error) {
- MAC_PERFORM_NOSLEEP(inpcb_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
@@ -120,11 +120,11 @@ mac_ipq_label_alloc(int flag)
return (NULL);
if (flag & M_WAITOK)
- MAC_CHECK(ipq_init_label, label, flag);
+ MAC_POLICY_CHECK(ipq_init_label, label, flag);
else
- MAC_CHECK_NOSLEEP(ipq_init_label, label, flag);
+ MAC_POLICY_CHECK_NOSLEEP(ipq_init_label, label, flag);
if (error) {
- MAC_PERFORM_NOSLEEP(ipq_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
@@ -148,7 +148,7 @@ static void
mac_inpcb_label_free(struct label *label)
{
- MAC_PERFORM_NOSLEEP(inpcb_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label);
mac_labelzone_free(label);
}
@@ -166,7 +166,7 @@ static void
mac_ipq_label_free(struct label *label)
{
- MAC_PERFORM_NOSLEEP(ipq_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label);
mac_labelzone_free(label);
}
@@ -184,7 +184,7 @@ void
mac_inpcb_create(struct socket *so, struct inpcb *inp)
{
- MAC_PERFORM_NOSLEEP(inpcb_create, so, so->so_label, inp,
+ MAC_POLICY_PERFORM_NOSLEEP(inpcb_create, so, so->so_label, inp,
inp->inp_label);
}
@@ -195,7 +195,8 @@ mac_ipq_reassemble(struct ipq *q, struct
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m,
+ label);
}
void
@@ -206,7 +207,8 @@ mac_netinet_fragment(struct mbuf *m, str
mlabel = mac_mbuf_to_label(m);
fraglabel = mac_mbuf_to_label(frag);
- MAC_PERFORM_NOSLEEP(netinet_fragment, m, mlabel, frag, fraglabel);
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_fragment, m, mlabel, frag,
+ fraglabel);
}
void
@@ -216,7 +218,7 @@ mac_ipq_create(struct mbuf *m, struct ip
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label);
+ MAC_POLICY_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label);
}
void
@@ -227,7 +229,7 @@ mac_inpcb_create_mbuf(struct inpcb *inp,
INP_LOCK_ASSERT(inp);
mlabel = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m,
+ MAC_POLICY_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m,
mlabel);
}
@@ -240,7 +242,7 @@ mac_ipq_match(struct mbuf *m, struct ipq
label = mac_mbuf_to_label(m);
result = 1;
- MAC_BOOLEAN_NOSLEEP(ipq_match, &&, m, label, q, q->ipq_label);
+ MAC_POLICY_BOOLEAN_NOSLEEP(ipq_match, &&, m, label, q, q->ipq_label);
return (result);
}
@@ -253,7 +255,8 @@ mac_netinet_arp_send(struct ifnet *ifp,
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
- MAC_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m, mlabel);
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m,
+ mlabel);
MAC_IFNET_UNLOCK(ifp);
}
@@ -265,8 +268,8 @@ mac_netinet_icmp_reply(struct mbuf *mrec
mrecvlabel = mac_mbuf_to_label(mrecv);
msendlabel = mac_mbuf_to_label(msend);
- MAC_PERFORM_NOSLEEP(netinet_icmp_reply, mrecv, mrecvlabel, msend,
- msendlabel);
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_reply, mrecv, mrecvlabel,
+ msend, msendlabel);
}
void
@@ -276,7 +279,7 @@ mac_netinet_icmp_replyinplace(struct mbu
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label);
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label);
}
void
@@ -287,7 +290,7 @@ mac_netinet_igmp_send(struct ifnet *ifp,
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
- MAC_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m,
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m,
mlabel);
MAC_IFNET_UNLOCK(ifp);
}
@@ -299,7 +302,7 @@ mac_netinet_tcp_reply(struct mbuf *m)
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(netinet_tcp_reply, m, label);
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_tcp_reply, m, label);
}
void
@@ -309,7 +312,7 @@ mac_ipq_update(struct mbuf *m, struct ip
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label);
+ MAC_POLICY_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label);
}
MAC_CHECK_PROBE_DEFINE2(inpcb_check_deliver, "struct inpcb *",
@@ -325,7 +328,7 @@ mac_inpcb_check_deliver(struct inpcb *in
label = mac_mbuf_to_label(m);
- MAC_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m,
+ MAC_POLICY_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m,
label);
MAC_CHECK_PROBE2(inpcb_check_deliver, error, inp, m);
@@ -342,7 +345,8 @@ mac_inpcb_check_visible(struct ucred *cr
INP_LOCK_ASSERT(inp);
- MAC_CHECK_NOSLEEP(inpcb_check_visible, cred, inp, inp->inp_label);
+ MAC_POLICY_CHECK_NOSLEEP(inpcb_check_visible, cred, inp,
+ inp->inp_label);
MAC_CHECK_PROBE2(inpcb_check_visible, error, cred, inp);
return (error);
@@ -355,7 +359,7 @@ mac_inpcb_sosetlabel(struct socket *so,
INP_WLOCK_ASSERT(inp);
SOCK_LOCK_ASSERT(so);
- MAC_PERFORM_NOSLEEP(inpcb_sosetlabel, so, so->so_label, inp,
+ MAC_POLICY_PERFORM_NOSLEEP(inpcb_sosetlabel, so, so->so_label, inp,
inp->inp_label);
}
@@ -370,8 +374,8 @@ mac_netinet_firewall_reply(struct mbuf *
mrecvlabel = mac_mbuf_to_label(mrecv);
msendlabel = mac_mbuf_to_label(msend);
- MAC_PERFORM_NOSLEEP(netinet_firewall_reply, mrecv, mrecvlabel, msend,
- msendlabel);
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_reply, mrecv, mrecvlabel,
+ msend, msendlabel);
}
void
@@ -383,7 +387,7 @@ mac_netinet_firewall_send(struct mbuf *m
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(netinet_firewall_send, m, label);
+ MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_send, m, label);
}
/*
@@ -400,7 +404,7 @@ mac_syncache_destroy(struct label **labe
{
if (*label != NULL) {
- MAC_PERFORM_NOSLEEP(syncache_destroy_label, *label);
+ MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label, *label);
mac_labelzone_free(*label);
*label = NULL;
}
@@ -422,9 +426,11 @@ mac_syncache_init(struct label **label)
* MAC_PERFORM so we can propagate allocation failures back
* to the syncache code.
*/
- MAC_CHECK_NOSLEEP(syncache_init_label, *label, M_NOWAIT);
+ MAC_POLICY_CHECK_NOSLEEP(syncache_init_label, *label,
+ M_NOWAIT);
if (error) {
- MAC_PERFORM_NOSLEEP(syncache_destroy_label, *label);
+ MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label,
+ *label);
mac_labelzone_free(*label);
}
return (error);
@@ -439,7 +445,7 @@ mac_syncache_create(struct label *label,
INP_WLOCK_ASSERT(inp);
- MAC_PERFORM_NOSLEEP(syncache_create, label, inp);
+ MAC_POLICY_PERFORM_NOSLEEP(syncache_create, label, inp);
}
void
@@ -451,5 +457,6 @@ mac_syncache_create_mbuf(struct label *s
mlabel = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m, mlabel);
+ MAC_POLICY_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m,
+ mlabel);
}
Modified: head/sys/security/mac/mac_inet6.c
==============================================================================
--- head/sys/security/mac/mac_inet6.c Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_inet6.c Fri May 1 21:05:40 2009 (r191731)
@@ -71,11 +71,11 @@ mac_ip6q_label_alloc(int flag)
return (NULL);
if (flag & M_WAITOK)
- MAC_CHECK(ip6q_init_label, label, flag);
+ MAC_POLICY_CHECK(ip6q_init_label, label, flag);
else
- MAC_CHECK_NOSLEEP(ip6q_init_label, label, flag);
+ MAC_POLICY_CHECK_NOSLEEP(ip6q_init_label, label, flag);
if (error) {
- MAC_PERFORM_NOSLEEP(ip6q_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
@@ -99,7 +99,7 @@ static void
mac_ip6q_label_free(struct label *label)
{
- MAC_PERFORM_NOSLEEP(ip6q_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label);
mac_labelzone_free(label);
}
@@ -120,7 +120,8 @@ mac_ip6q_reassemble(struct ip6q *q6, str
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m,
+ label);
}
void
@@ -130,7 +131,8 @@ mac_ip6q_create(struct mbuf *m, struct i
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(ip6q_create, m, label, q6, q6->ip6q_label);
+ MAC_POLICY_PERFORM_NOSLEEP(ip6q_create, m, label, q6,
+ q6->ip6q_label);
}
int
@@ -142,7 +144,8 @@ mac_ip6q_match(struct mbuf *m, struct ip
label = mac_mbuf_to_label(m);
result = 1;
- MAC_BOOLEAN_NOSLEEP(ip6q_match, &&, m, label, q6, q6->ip6q_label);
+ MAC_POLICY_BOOLEAN_NOSLEEP(ip6q_match, &&, m, label, q6,
+ q6->ip6q_label);
return (result);
}
@@ -154,7 +157,8 @@ mac_ip6q_update(struct mbuf *m, struct i
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(ip6q_update, m, label, q6, q6->ip6q_label);
+ MAC_POLICY_PERFORM_NOSLEEP(ip6q_update, m, label, q6,
+ q6->ip6q_label);
}
void
@@ -164,6 +168,6 @@ mac_netinet6_nd6_send(struct ifnet *ifp,
mlabel = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
+ MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
mlabel);
}
Modified: head/sys/security/mac/mac_internal.h
==============================================================================
--- head/sys/security/mac/mac_internal.h Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_internal.h Fri May 1 21:05:40 2009 (r191731)
@@ -257,11 +257,11 @@ int vn_setlabel(struct vnode *vp, struct
* specific entry point. They come in two forms: one which permits policies
* to sleep/block, and another that does not.
*
- * MAC_CHECK performs the designated check by walking the policy module list
- * and checking with each as to how it feels about the request. Note that it
- * returns its value via 'error' in the scope of the caller.
+ * MAC_POLICY_CHECK performs the designated check by walking the policy
+ * module list and checking with each as to how it feels about the request.
+ * Note that it returns its value via 'error' in the scope of the caller.
*/
-#define MAC_CHECK(check, args...) do { \
+#define MAC_POLICY_CHECK(check, args...) do { \
struct mac_policy_conf *mpc; \
\
error = 0; \
@@ -283,7 +283,7 @@ int vn_setlabel(struct vnode *vp, struct
} \
} while (0)
-#define MAC_CHECK_NOSLEEP(check, args...) do { \
+#define MAC_POLICY_CHECK_NOSLEEP(check, args...) do { \
struct mac_policy_conf *mpc; \
\
error = 0; \
@@ -306,13 +306,13 @@ int vn_setlabel(struct vnode *vp, struct
} while (0)
/*
- * MAC_GRANT performs the designated check by walking the policy module list
- * and checking with each as to how it feels about the request. Unlike
- * MAC_CHECK, it grants if any policies return '0', and otherwise returns
- * EPERM. Note that it returns its value via 'error' in the scope of the
- * caller.
+ * MAC_POLICY_GRANT performs the designated check by walking the policy
+ * module list and checking with each as to how it feels about the request.
+ * Unlike MAC_POLICY_CHECK, it grants if any policies return '0', and
+ * otherwise returns EPERM. Note that it returns its value via 'error' in
+ * the scope of the caller.
*/
-#define MAC_GRANT_NOSLEEP(check, args...) do { \
+#define MAC_POLICY_GRANT_NOSLEEP(check, args...) do { \
struct mac_policy_conf *mpc; \
\
error = EPERM; \
@@ -336,13 +336,13 @@ int vn_setlabel(struct vnode *vp, struct
} while (0)
/*
- * MAC_BOOLEAN performs the designated boolean composition by walking the
- * module list, invoking each instance of the operation, and combining the
- * results using the passed C operator. Note that it returns its value via
- * 'result' in the scope of the caller, which should be initialized by the
- * caller in a meaningful way to get a meaningful result.
+ * MAC_POLICY_BOOLEAN performs the designated boolean composition by walking
+ * the module list, invoking each instance of the operation, and combining
+ * the results using the passed C operator. Note that it returns its value
+ * via 'result' in the scope of the caller, which should be initialized by
+ * the caller in a meaningful way to get a meaningful result.
*/
-#define MAC_BOOLEAN(operation, composition, args...) do { \
+#define MAC_POLICY_BOOLEAN(operation, composition, args...) do { \
struct mac_policy_conf *mpc; \
\
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
@@ -362,7 +362,7 @@ int vn_setlabel(struct vnode *vp, struct
} \
} while (0)
-#define MAC_BOOLEAN_NOSLEEP(operation, composition, args...) do { \
+#define MAC_POLICY_BOOLEAN_NOSLEEP(operation, composition, args...) do {\
struct mac_policy_conf *mpc; \
\
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
@@ -383,13 +383,13 @@ int vn_setlabel(struct vnode *vp, struct
} while (0)
/*
- * MAC_EXTERNALIZE queries each policy to see if it can generate an
+ * MAC_POLICY_EXTERNALIZE queries each policy to see if it can generate an
* externalized version of a label element by name. Policies declare whether
* they have matched a particular element name, parsed from the string by
- * MAC_EXTERNALIZE, and an error is returned if any element is matched by no
- * policy.
+ * MAC_POLICY_EXTERNALIZE, and an error is returned if any element is matched
+ * by no policy.
*/
-#define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \
+#define MAC_POLICY_EXTERNALIZE(type, label, elementlist, outbuf, \
outbuflen) do { \
int claimed, first, ignorenotfound, savedlen; \
char *element_name, *element_temp; \
@@ -415,7 +415,7 @@ int vn_setlabel(struct vnode *vp, struct
break; \
} \
claimed = 0; \
- MAC_CHECK(type ## _externalize_label, label, \
+ MAC_POLICY_CHECK(type ## _externalize_label, label, \
element_name, &sb, &claimed); \
if (error) \
break; \
@@ -433,11 +433,11 @@ int vn_setlabel(struct vnode *vp, struct
} while (0)
/*
- * MAC_INTERNALIZE presents parsed element names and data to each policy to
- * see if any is willing to claim it and internalize the label data. If no
- * policies match, an error is returned.
+ * MAC_POLICY_INTERNALIZE presents parsed element names and data to each
+ * policy to see if any is willing to claim it and internalize the label
+ * data. If no policies match, an error is returned.
*/
-#define MAC_INTERNALIZE(type, label, instring) do { \
+#define MAC_POLICY_INTERNALIZE(type, label, instring) do { \
char *element, *element_name, *element_data; \
int claimed; \
\
@@ -451,7 +451,7 @@ int vn_setlabel(struct vnode *vp, struct
break; \
} \
claimed = 0; \
- MAC_CHECK(type ## _internalize_label, label, \
+ MAC_POLICY_CHECK(type ## _internalize_label, label, \
element_name, element_data, &claimed); \
if (error) \
break; \
@@ -464,10 +464,10 @@ int vn_setlabel(struct vnode *vp, struct
} while (0)
/*
- * MAC_PERFORM performs the designated operation by walking the policy module
- * list and invoking that operation for each policy.
+ * MAC_POLICY_PERFORM performs the designated operation by walking the policy
+ * module list and invoking that operation for each policy.
*/
-#define MAC_PERFORM(operation, args...) do { \
+#define MAC_POLICY_PERFORM(operation, args...) do { \
struct mac_policy_conf *mpc; \
\
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
@@ -484,7 +484,7 @@ int vn_setlabel(struct vnode *vp, struct
} \
} while (0)
-#define MAC_PERFORM_NOSLEEP(operation, args...) do { \
+#define MAC_POLICY_PERFORM_NOSLEEP(operation, args...) do { \
struct mac_policy_conf *mpc; \
\
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
Modified: head/sys/security/mac/mac_net.c
==============================================================================
--- head/sys/security/mac/mac_net.c Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_net.c Fri May 1 21:05:40 2009 (r191731)
@@ -110,7 +110,7 @@ mac_bpfdesc_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
- MAC_PERFORM(bpfdesc_init_label, label);
+ MAC_POLICY_PERFORM(bpfdesc_init_label, label);
return (label);
}
@@ -130,7 +130,7 @@ mac_ifnet_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
- MAC_PERFORM(ifnet_init_label, label);
+ MAC_POLICY_PERFORM(ifnet_init_label, label);
return (label);
}
@@ -154,11 +154,11 @@ mac_mbuf_tag_init(struct m_tag *tag, int
mac_init_label(label);
if (flag & M_WAITOK)
- MAC_CHECK(mbuf_init_label, label, flag);
+ MAC_POLICY_CHECK(mbuf_init_label, label, flag);
else
- MAC_CHECK_NOSLEEP(mbuf_init_label, label, flag);
+ MAC_POLICY_CHECK_NOSLEEP(mbuf_init_label, label, flag);
if (error) {
- MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label);
mac_destroy_label(label);
}
return (error);
@@ -191,7 +191,7 @@ static void
mac_bpfdesc_label_free(struct label *label)
{
- MAC_PERFORM_NOSLEEP(bpfdesc_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_destroy_label, label);
mac_labelzone_free(label);
}
@@ -209,7 +209,7 @@ static void
mac_ifnet_label_free(struct label *label)
{
- MAC_PERFORM_NOSLEEP(ifnet_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ifnet_destroy_label, label);
mac_labelzone_free(label);
}
@@ -230,7 +230,7 @@ mac_mbuf_tag_destroy(struct m_tag *tag)
label = (struct label *)(tag+1);
- MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label);
mac_destroy_label(label);
}
@@ -250,7 +250,7 @@ mac_mbuf_tag_copy(struct m_tag *src, str
* mac_mbuf_tag_init() is called on the target tag in m_tag_copy(),
* so we don't need to call it here.
*/
- MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
+ MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
}
void
@@ -261,14 +261,14 @@ mac_mbuf_copy(struct mbuf *m_from, struc
src_label = mac_mbuf_to_label(m_from);
dest_label = mac_mbuf_to_label(m_to);
- MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
+ MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label);
}
static void
mac_ifnet_copy_label(struct label *src, struct label *dest)
{
- MAC_PERFORM_NOSLEEP(ifnet_copy_label, src, dest);
+ MAC_POLICY_PERFORM_NOSLEEP(ifnet_copy_label, src, dest);
}
static int
@@ -277,7 +277,7 @@ mac_ifnet_externalize_label(struct label
{
int error;
- MAC_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen);
+ MAC_POLICY_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen);
return (error);
}
@@ -287,7 +287,7 @@ mac_ifnet_internalize_label(struct label
{
int error;
- MAC_INTERNALIZE(ifnet, label, string);
+ MAC_POLICY_INTERNALIZE(ifnet, label, string);
return (error);
}
@@ -297,7 +297,7 @@ mac_ifnet_create(struct ifnet *ifp)
{
MAC_IFNET_LOCK(ifp);
- MAC_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label);
+ MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label);
MAC_IFNET_UNLOCK(ifp);
}
@@ -305,7 +305,7 @@ void
mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d)
{
- MAC_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label);
+ MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label);
}
void
@@ -317,7 +317,8 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d,
label = mac_mbuf_to_label(m);
- MAC_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m, label);
+ MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m,
+ label);
}
void
@@ -328,7 +329,8 @@ mac_ifnet_create_mbuf(struct ifnet *ifp,
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
- MAC_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, label);
+ MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m,
+ label);
MAC_IFNET_UNLOCK(ifp);
}
@@ -343,7 +345,7 @@ mac_bpfdesc_check_receive(struct bpf_d *
BPFD_LOCK_ASSERT(d);
MAC_IFNET_LOCK(ifp);
- MAC_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
+ MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
ifp->if_label);
MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp);
MAC_IFNET_UNLOCK(ifp);
@@ -365,7 +367,7 @@ mac_ifnet_check_transmit(struct ifnet *i
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
- MAC_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m,
+ MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m,
label);
MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m);
MAC_IFNET_UNLOCK(ifp);
@@ -463,15 +465,15 @@ mac_ifnet_ioctl_set(struct ucred *cred,
}
MAC_IFNET_LOCK(ifp);
- MAC_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, ifp->if_label,
- intlabel);
+ MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp,
+ ifp->if_label, intlabel);
if (error) {
MAC_IFNET_UNLOCK(ifp);
mac_ifnet_label_free(intlabel);
return (error);
}
- MAC_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label,
+ MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label,
intlabel);
MAC_IFNET_UNLOCK(ifp);
Modified: head/sys/security/mac/mac_pipe.c
==============================================================================
--- head/sys/security/mac/mac_pipe.c Fri May 1 20:53:37 2009 (r191730)
+++ head/sys/security/mac/mac_pipe.c Fri May 1 21:05:40 2009 (r191731)
@@ -66,7 +66,7 @@ mac_pipe_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
- MAC_PERFORM(pipe_init_label, label);
+ MAC_POLICY_PERFORM(pipe_init_label, label);
return (label);
}
@@ -84,7 +84,7 @@ void
mac_pipe_label_free(struct label *label)
{
- MAC_PERFORM_NOSLEEP(pipe_destroy_label, label);
+ MAC_POLICY_PERFORM_NOSLEEP(pipe_destroy_label, label);
mac_labelzone_free(label);
}
@@ -102,7 +102,7 @@ void
mac_pipe_copy_label(struct label *src, struct label *dest)
{
- MAC_PERFORM_NOSLEEP(pipe_copy_label, src, dest);
+ MAC_POLICY_PERFORM_NOSLEEP(pipe_copy_label, src, dest);
}
int
@@ -111,7 +111,7 @@ mac_pipe_externalize_label(struct label
{
int error;
- MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
+ MAC_POLICY_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
return (error);
}
@@ -121,7 +121,7 @@ mac_pipe_internalize_label(struct label
{
int error;
- MAC_INTERNALIZE(pipe, label, string);
+ MAC_POLICY_INTERNALIZE(pipe, label, string);
return (error);
}
@@ -130,7 +130,7 @@ void
mac_pipe_create(struct ucred *cred, struct pipepair *pp)
{
- MAC_PERFORM_NOSLEEP(pipe_create, cred, pp, pp->pp_label);
+ MAC_POLICY_PERFORM_NOSLEEP(pipe_create, cred, pp, pp->pp_label);
}
static void
@@ -138,7 +138,8 @@ mac_pipe_relabel(struct ucred *cred, str
struct label *newlabel)
{
- MAC_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label, newlabel);
+ MAC_POLICY_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label,
+ newlabel);
}
MAC_CHECK_PROBE_DEFINE4(pipe_check_ioctl, "struct ucred *",
@@ -152,8 +153,8 @@ mac_pipe_check_ioctl(struct ucred *cred,
mtx_assert(&pp->pp_mtx, MA_OWNED);
- MAC_CHECK_NOSLEEP(pipe_check_ioctl, cred, pp, pp->pp_label, cmd,
- data);
+ MAC_POLICY_CHECK_NOSLEEP(pipe_check_ioctl, cred, pp, pp->pp_label,
+ cmd, data);
MAC_CHECK_PROBE4(pipe_check_ioctl, error, cred, pp, cmd, data);
return (error);
@@ -169,7 +170,7 @@ mac_pipe_check_poll(struct ucred *cred,
mtx_assert(&pp->pp_mtx, MA_OWNED);
- MAC_CHECK_NOSLEEP(pipe_check_poll, cred, pp, pp->pp_label);
+ MAC_POLICY_CHECK_NOSLEEP(pipe_check_poll, cred, pp, pp->pp_label);
MAC_CHECK_PROBE2(pipe_check_poll, error, cred, pp);
return (error);
@@ -185,7 +186,7 @@ mac_pipe_check_read(struct ucred *cred,
mtx_assert(&pp->pp_mtx, MA_OWNED);
- MAC_CHECK_NOSLEEP(pipe_check_read, cred, pp, pp->pp_label);
+ MAC_POLICY_CHECK_NOSLEEP(pipe_check_read, cred, pp, pp->pp_label);
MAC_CHECK_PROBE2(pipe_check_read, error, cred, pp);
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list