PERFORCE change 41858 for review

Robert Watson rwatson at FreeBSD.org
Mon Nov 10 03:46:11 GMT 2003


http://perforce.freebsd.org/chv.cgi?CH=41858

Change 41858 by rwatson at rwatson_paprika on 2003/11/09 19:45:50

	Integrate the TrustedBSD SEBSD branch with recent changes from the
	TrustedBSD MAC branch:
	
	- Use zone allocated temporary labels rather than stack-allocated
	  storage for credentials, pipes, vnodes, during query/set/
	  transition/...
	- Simplify mac_execve_enter() API and interpreter code.
	- Remove old _init() and _destroy() APIs for caller-owned memory
	  initialization/destruction.  GC.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#18 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_pipe.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_process.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#11 integrate

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#8 (text+ko) ====

@@ -168,9 +168,8 @@
 	int credential_changing;
 	int textset;
 #ifdef MAC
-	struct label interplabel;	/* label of the interpreted vnode */
-	struct label execlabel;		/* optional label argument */
-	int will_transition, interplabelvalid = 0;
+	struct label *interplabel = NULL;
+	int will_transition;
 #endif
 
 	imgp = &image_params;
@@ -223,7 +222,7 @@
 	imgp->auxarg_size = 0;
 
 #ifdef MAC
-	error = mac_execve_enter(imgp, mac_p, &execlabel);
+	error = mac_execve_enter(imgp, mac_p);
 	if (error) {
 		mtx_lock(&Giant);
 		goto exec_fail;
@@ -340,9 +339,8 @@
 		/* free name buffer and old vnode */
 		NDFREE(ndp, NDF_ONLY_PNBUF);
 #ifdef MAC
-		mac_init_vnode_label(&interplabel);
-		mac_copy_vnode_label(ndp->ni_vp->v_label, &interplabel);
-		interplabelvalid = 1;
+		interplabel = mac_cred_label_alloc();
+		mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel);
 #endif
 		vput(ndp->ni_vp);
 		vm_object_deallocate(imgp->object);
@@ -456,7 +454,7 @@
 	    attr.va_gid;
 #ifdef MAC
 	will_transition = mac_execve_will_transition(oldcred, imgp->vp,
-	    interplabelvalid ? &interplabel : NULL, imgp);
+	    interplabel, imgp);
 	credential_changing |= will_transition;
 #endif
 
@@ -506,7 +504,7 @@
 #ifdef MAC
 		if (will_transition) {
 			mac_execve_transition(oldcred, newcred, imgp->vp,
-			    interplabelvalid ? &interplabel : NULL, imgp);
+			    interplabel, imgp);
 		}
 #endif
 		/*
@@ -658,8 +656,8 @@
 		/* sorry, no more process anymore. exit gracefully */
 #ifdef MAC
 		mac_execve_exit(imgp);
-		if (interplabelvalid)
-			mac_destroy_vnode_label(&interplabel);
+		if (interplabel != NULL)
+			mac_vnode_label_free(interplabel);
 #endif
 		exit1(td, W_EXITCODE(0, SIGABRT));
 		/* NOT REACHED */
@@ -668,8 +666,8 @@
 done2:
 #ifdef MAC
 	mac_execve_exit(imgp);
-	if (interplabelvalid)
-		mac_destroy_vnode_label(&interplabel);
+	if (interplabel != NULL)
+		mac_vnode_label_free(interplabel);
 #endif
 	mtx_unlock(&Giant);
 	return (error);

==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#18 (text+ko) ====

@@ -643,7 +643,7 @@
 __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
 {
 	struct ucred *newcred, *oldcred;
-	struct label intlabel;
+	struct label *intlabel;
 	struct proc *p;
 	struct mac mac;
 	char *buffer;
@@ -664,13 +664,11 @@
 		return (error);
 	}
 
-	mac_init_cred_label(&intlabel);
-	error = mac_internalize_cred_label(&intlabel, buffer);
+	intlabel = mac_cred_label_alloc();
+	error = mac_internalize_cred_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_cred_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	newcred = crget();
 
@@ -678,7 +676,7 @@
 	PROC_LOCK(p);
 	oldcred = p->p_ucred;
 
-	error = mac_check_cred_relabel(oldcred, &intlabel);
+	error = mac_check_cred_relabel(oldcred, intlabel);
 	if (error) {
 		PROC_UNLOCK(p);
 		crfree(newcred);
@@ -687,7 +685,7 @@
 
 	setsugid(p);
 	crcopy(newcred, oldcred);
-	mac_relabel_cred(newcred, &intlabel);
+	mac_relabel_cred(newcred, intlabel);
 	p->p_ucred = newcred;
 
 	/*
@@ -707,7 +705,7 @@
 	crfree(oldcred);
 
 out:
-	mac_destroy_cred_label(&intlabel);
+	mac_cred_label_free(intlabel);
 	return (error);
 }
 
@@ -718,7 +716,7 @@
 __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 {
 	char *elements, *buffer;
-	struct label intlabel;
+	struct label *intlabel;
 	struct file *fp;
 	struct mac mac;
 	struct vnode *vp;
@@ -753,20 +751,20 @@
 	case DTYPE_VNODE:
 		vp = fp->f_vnode;
 
-		mac_init_vnode_label(&intlabel);
+		intlabel = mac_vnode_label_alloc();
 
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		mac_copy_vnode_label(vp->v_label, &intlabel);
+		mac_copy_vnode_label(vp->v_label, intlabel);
 		VOP_UNLOCK(vp, 0, td);
 
 		break;
 	case DTYPE_PIPE:
 		pipe = fp->f_data;
 
-		mac_init_pipe_label(&intlabel);
+		intlabel = mac_pipe_label_alloc();
 
 		PIPE_LOCK(pipe);
-		mac_copy_pipe_label(pipe->pipe_label, &intlabel);
+		mac_copy_pipe_label(pipe->pipe_label, intlabel);
 		PIPE_UNLOCK(pipe);
 		break;
 	default:
@@ -780,14 +778,14 @@
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
 		if (error == 0)
-			error = mac_externalize_vnode_label(&intlabel,
+			error = mac_externalize_vnode_label(intlabel,
 			    elements, buffer, mac.m_buflen);
-		mac_destroy_vnode_label(&intlabel);
+		mac_vnode_label_free(intlabel);
 		break;
 	case DTYPE_PIPE:
-		error = mac_externalize_pipe_label(&intlabel, elements,
+		error = mac_externalize_pipe_label(intlabel, elements,
 		    buffer, mac.m_buflen);
-		mac_destroy_pipe_label(&intlabel);
+		mac_pipe_label_free(intlabel);
 		break;
 	default:
 		panic("__mac_get_fd: corrupted label_type");
@@ -812,7 +810,7 @@
 {
 	char *elements, *buffer;
 	struct nameidata nd;
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	int error;
 
@@ -839,13 +837,13 @@
 	if (error)
 		goto out;
 
-	mac_init_vnode_label(&intlabel);
-	mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel);
-	error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+	intlabel = mac_vnode_label_alloc();
+	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+	error = mac_externalize_vnode_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 
 	NDFREE(&nd, 0);
-	mac_destroy_vnode_label(&intlabel);
+	mac_vnode_label_free(intlabel);
 
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -867,7 +865,7 @@
 {
 	char *elements, *buffer;
 	struct nameidata nd;
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	int error;
 
@@ -894,12 +892,12 @@
 	if (error)
 		goto out;
 
-	mac_init_vnode_label(&intlabel);
-	mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel);
-	error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+	intlabel = mac_vnode_label_alloc();
+	mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+	error = mac_externalize_vnode_label(intlabel, elements, buffer,
 	    mac.m_buflen);
 	NDFREE(&nd, 0);
-	mac_destroy_vnode_label(&intlabel);
+	mac_vnode_label_free(intlabel);
 
 	if (error == 0)
 		error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -974,7 +972,7 @@
 int
 __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct pipe *pipe;
 	struct file *fp;
 	struct mount *mp;
@@ -1007,40 +1005,38 @@
 	switch (fp->f_type) {
 	case DTYPE_FIFO:
 	case DTYPE_VNODE:
-		mac_init_vnode_label(&intlabel);
-		error = mac_internalize_vnode_label(&intlabel, buffer);
+		intlabel = mac_vnode_label_alloc();
+		error = mac_internalize_vnode_label(intlabel, buffer);
 		if (error) {
-			mac_destroy_vnode_label(&intlabel);
+			mac_vnode_label_free(intlabel);
 			break;
 		}
 
 		vp = fp->f_vnode;
 		error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
 		if (error != 0) {
-			mac_destroy_vnode_label(&intlabel);
+			mac_vnode_label_free(intlabel);
 			break;
 		}
 
 		vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
-		error = vn_setlabel(vp, &intlabel, td->td_ucred);
+		error = vn_setlabel(vp, intlabel, td->td_ucred);
 		VOP_UNLOCK(vp, 0, td);
 		vn_finished_write(mp);
-
-		mac_destroy_vnode_label(&intlabel);
+		mac_vnode_label_free(intlabel);
 		break;
 
 	case DTYPE_PIPE:
-		mac_init_pipe_label(&intlabel);
-		error = mac_internalize_pipe_label(&intlabel, buffer);
+		intlabel = mac_pipe_label_alloc();
+		error = mac_internalize_pipe_label(intlabel, buffer);
 		if (error == 0) {
 			pipe = fp->f_data;
 			PIPE_LOCK(pipe);
 			error = mac_pipe_label_set(td->td_ucred, pipe,
-			    &intlabel);
+			    intlabel);
 			PIPE_UNLOCK(pipe);
 		}
-
-		mac_destroy_pipe_label(&intlabel);
+		mac_pipe_label_free(intlabel);
 		break;
 
 	default:
@@ -1062,7 +1058,7 @@
 int
 __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct nameidata nd;
 	struct mount *mp;
 	struct mac mac;
@@ -1084,13 +1080,11 @@
 		return (error);
 	}
 
-	mac_init_vnode_label(&intlabel);
-	error = mac_internalize_vnode_label(&intlabel, buffer);
+	intlabel = mac_vnode_label_alloc();
+	error = mac_internalize_vnode_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_vnode_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	mtx_lock(&Giant);				/* VFS */
 
@@ -1100,15 +1094,16 @@
 	if (error == 0) {
 		error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
 		if (error == 0)
-			error = vn_setlabel(nd.ni_vp, &intlabel,
+			error = vn_setlabel(nd.ni_vp, intlabel,
 			    td->td_ucred);
 		vn_finished_write(mp);
 	}
 
 	NDFREE(&nd, 0);
 	mtx_unlock(&Giant);				/* VFS */
-	mac_destroy_vnode_label(&intlabel);
 
+out:
+	mac_vnode_label_free(intlabel);
 	return (error);
 }
 
@@ -1118,7 +1113,7 @@
 int
 __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct nameidata nd;
 	struct mount *mp;
 	struct mac mac;
@@ -1140,13 +1135,11 @@
 		return (error);
 	}
 
-	mac_init_vnode_label(&intlabel);
-	error = mac_internalize_vnode_label(&intlabel, buffer);
+	intlabel = mac_vnode_label_alloc();
+	error = mac_internalize_vnode_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_destroy_vnode_label(&intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
 	mtx_lock(&Giant);				/* VFS */
 
@@ -1156,15 +1149,15 @@
 	if (error == 0) {
 		error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
 		if (error == 0)
-			error = vn_setlabel(nd.ni_vp, &intlabel,
+			error = vn_setlabel(nd.ni_vp, intlabel,
 			    td->td_ucred);
 		vn_finished_write(mp);
 	}
 
 	NDFREE(&nd, 0);
 	mtx_unlock(&Giant);				/* VFS */
-	mac_destroy_vnode_label(&intlabel);
-
+out:
+	mac_vnode_label_free(intlabel);
 	return (error);
 }
 

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#7 (text+ko) ====

@@ -103,11 +103,12 @@
  * the namespaces, etc, should work for these, so for now, sort by
  * object type.
  */
+struct label	*mac_pipe_label_alloc(void);
+void		 mac_pipe_label_free(struct label *label);
+
 int	mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
-void	mac_destroy_cred_label(struct label *label);
 int	mac_externalize_cred_label(struct label *label, char *elements, 
 	    char *outbuf, size_t outbuflen);
-void	mac_init_cred_label(struct label *label);
 int	mac_internalize_cred_label(struct label *label, char *string);
 void	mac_relabel_cred(struct ucred *cred, struct label *newlabel);
 
@@ -116,10 +117,8 @@
 int	mac_internalize_mount_label(struct label *label, char *string);
 
 void	mac_copy_pipe_label(struct label *src, struct label *dest);
-void	mac_destroy_pipe_label(struct label *label);
 int	mac_externalize_pipe_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
-void	mac_init_pipe_label(struct label *label);
 int	mac_internalize_pipe_label(struct label *label, char *string);
 
 int	mac_externalize_vnode_label(struct label *label, char *elements,

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#4 (text+ko) ====

@@ -124,15 +124,6 @@
 	bpf_d->bd_label = mac_bpfdesc_label_alloc();
 }
 
-static void
-mac_init_ifnet_label(struct label *label)
-{
-
-	mac_init_label(label);
-	MAC_PERFORM(init_ifnet_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacifnets);
-}
-
 static struct label *
 mac_ifnet_label_alloc(void)
 {
@@ -229,24 +220,6 @@
 	return (0);
 }
 
-static int
-mac_init_socket_label(struct label *label, int flag)
-{
-	int error;
-
-	mac_init_label(label);
-
-	MAC_CHECK(init_socket_label, label, flag);
-	if (error) {
-		MAC_PERFORM(destroy_socket_label, label);
-		mac_destroy_label(label);
-	} else {
-		MAC_DEBUG_COUNTER_INC(&nmacsockets);
-	}
-
-	return (error);
-}
-
 static struct label *
 mac_socket_label_alloc(int flag)
 {
@@ -320,15 +293,6 @@
 }
 
 static void
-mac_destroy_ifnet_label(struct label *label)
-{
-
-	MAC_PERFORM(destroy_ifnet_label, label);
-	mac_destroy_label(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacifnets);
-}
-
-static void
 mac_ifnet_label_free(struct label *label)
 {
 
@@ -372,15 +336,6 @@
 }
 
 static void
-mac_destroy_socket_label(struct label *label)
-{
-
-	MAC_PERFORM(destroy_socket_label, label);
-	mac_destroy_label(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacsockets);
-}
-
-static void
 mac_socket_label_free(struct label *label)
 {
 
@@ -891,7 +846,7 @@
 mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
     struct ifnet *ifnet)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	struct mac mac;
 	char *buffer;
 	int error;
@@ -911,11 +866,11 @@
 		return (error);
 	}
 
-	mac_init_ifnet_label(&intlabel);
-	error = mac_internalize_ifnet_label(&intlabel, buffer);
+	intlabel = mac_ifnet_label_alloc();
+	error = mac_internalize_ifnet_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
-		mac_destroy_ifnet_label(&intlabel);
+		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
@@ -926,20 +881,20 @@
 	 */
 	error = suser_cred(cred, 0);
 	if (error) {
-		mac_destroy_ifnet_label(&intlabel);
+		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
 	MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
-	    &intlabel);
+	    intlabel);
 	if (error) {
-		mac_destroy_ifnet_label(&intlabel);
+		mac_ifnet_label_free(intlabel);
 		return (error);
 	}
 
-	MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, &intlabel);
+	MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
 
-	mac_destroy_ifnet_label(&intlabel);
+	mac_ifnet_label_free(intlabel);
 	return (0);
 }
 
@@ -947,7 +902,7 @@
 mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
     struct mac *mac)
 {
-	struct label intlabel;
+	struct label *intlabel;
 	char *buffer;
 	int error;
 
@@ -962,23 +917,23 @@
 		return (error);
 	}
 
-	mac_init_socket_label(&intlabel, M_WAITOK);
-	error = mac_internalize_socket_label(&intlabel, buffer);
+	intlabel = mac_socket_label_alloc(M_WAITOK);
+	error = mac_internalize_socket_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
-		mac_destroy_socket_label(&intlabel);
+		mac_socket_label_free(intlabel);
 		return (error);
 	}
 
-	mac_check_socket_relabel(cred, so, &intlabel);
+	mac_check_socket_relabel(cred, so, intlabel);
 	if (error) {
-		mac_destroy_socket_label(&intlabel);
+		mac_socket_label_free(intlabel);
 		return (error);
 	}
 
-	mac_relabel_socket(cred, so, &intlabel);
+	mac_relabel_socket(cred, so, intlabel);
 
-	mac_destroy_socket_label(&intlabel);
+	mac_socket_label_free(intlabel);
 	return (0);
 }
 

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_pipe.c#4 (text+ko) ====

@@ -61,16 +61,7 @@
     &nmacpipes, 0, "number of pipes in use");
 #endif
 
-void
-mac_init_pipe_label(struct label *label)
-{
-
-	mac_init_label(label);
-	MAC_PERFORM(init_pipe_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacpipes);
-}
-
-static struct label *
+struct label *
 mac_pipe_label_alloc(void)
 {
 	struct label *label;
@@ -90,15 +81,6 @@
 }
 
 void
-mac_destroy_pipe_label(struct label *label)
-{
-
-	MAC_PERFORM(destroy_pipe_label, label);
-	mac_destroy_label(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacpipes);
-}
-
-static void
 mac_pipe_label_free(struct label *label)
 {
 

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_process.c#4 (text+ko) ====

@@ -96,16 +96,7 @@
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
-void
-mac_init_cred_label(struct label *label)
-{
-
-	mac_init_label(label);
-	MAC_PERFORM(init_cred_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmaccreds);
-}
-
-static struct label *
+struct label *
 mac_cred_label_alloc(void)
 {
 	struct label *label;
@@ -141,7 +132,7 @@
 	p->p_label = mac_proc_label_alloc();
 }
 
-static void
+void
 mac_cred_label_free(struct label *label)
 {
 
@@ -151,15 +142,6 @@
 }
 
 void
-mac_destroy_cred_label(struct label *label)
-{
-
-	MAC_PERFORM(destroy_cred_label, label);
-	mac_destroy_label(label);
-	MAC_DEBUG_COUNTER_DEC(&nmaccreds);
-}
-
-void
 mac_destroy_cred(struct ucred *cred)
 {
 
@@ -247,9 +229,9 @@
 }
 
 int
-mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
-    struct label *execlabelstorage)
+mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
 {
+	struct label *label;
 	struct mac mac;
 	char *buffer;
 	int error;
@@ -272,22 +254,24 @@
 		return (error);
 	}
 
-	mac_init_cred_label(execlabelstorage);
-	error = mac_internalize_cred_label(execlabelstorage, buffer);
+	label = mac_cred_label_alloc();
+	error = mac_internalize_cred_label(label, buffer);
 	free(buffer, M_MACTEMP);
 	if (error) {
-		mac_destroy_cred_label(execlabelstorage);
+		mac_cred_label_free(label);
 		return (error);
 	}
-	imgp->execlabel = execlabelstorage;
+	imgp->execlabel = label;
 	return (0);
 }
 
 void
 mac_execve_exit(struct image_params *imgp)
 {
-	if (imgp->execlabel != NULL)
-		mac_destroy_cred_label(imgp->execlabel);
+	if (imgp->execlabel != NULL) {
+		mac_cred_label_free(imgp->execlabel);
+		imgp->execlabel = NULL;
+	}
 }
 
 /*

==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#6 (text+ko) ====

@@ -156,16 +156,7 @@
 	mp->mnt_fslabel = mac_mount_fs_label_alloc();
 }
 
-void
-mac_init_vnode_label(struct label *label)
-{
-
-	mac_init_label(label);
-	MAC_PERFORM(init_vnode_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacvnodes);
-}
-
-static struct label *
+struct label *
 mac_vnode_label_alloc(void)
 {
 	struct label *label;
@@ -237,15 +228,6 @@
 }
 
 void
-mac_destroy_vnode_label(struct label *label)
-{
-
-	MAC_PERFORM(destroy_vnode_label, label);
-	mac_destroy_label(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
-}
-
-static void
 mac_vnode_label_free(struct label *label)
 {
 

==== //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#8 (text+ko) ====


==== //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#11 (text+ko) ====

@@ -158,7 +158,6 @@
 void	mac_init_mount(struct mount *);
 void	mac_init_proc(struct proc *);
 void	mac_init_vnode(struct vnode *);
-void	mac_init_vnode_label(struct label *);
 void	mac_init_mount_label(struct label *);
 void	mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
 void	mac_copy_vnode_label(struct label *, struct label *label);
@@ -180,9 +179,13 @@
 void	mac_destroy_mbuf_tag(struct m_tag *);
 void	mac_destroy_mount(struct mount *);
 void	mac_destroy_vnode(struct vnode *);
-void	mac_destroy_vnode_label(struct label *);
 void	mac_destroy_mount_label(struct label *);
 
+struct label	*mac_cred_label_alloc(void);
+void		 mac_cred_label_free(struct label *label);
+struct label	*mac_vnode_label_alloc(void);
+void		 mac_vnode_label_free(struct label *label);
+
 /*
  * Labeling event operations: file system objects, and things that
  * look a lot like file system objects.
@@ -264,8 +267,7 @@
  * Labeling event operations: processes.
  */
 void	mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
-int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
-	    struct label *execlabel);
+int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_transition(struct ucred *old, struct ucred *new,
 	    struct vnode *vp, struct label *interpvnodelabel,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list