From owner-svn-src-all@FreeBSD.ORG Fri May 1 21:05:41 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5988410656D5; Fri, 1 May 2009 21:05:41 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 460F88FC15; Fri, 1 May 2009 21:05:41 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n41L5fRV053282; Fri, 1 May 2009 21:05:41 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n41L5eAP053273; Fri, 1 May 2009 21:05:40 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <200905012105.n41L5eAP053273@svn.freebsd.org> From: Robert Watson Date: Fri, 1 May 2009 21:05:40 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r191731 - head/sys/security/mac X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 21:05:42 -0000 Author: rwatson Date: Fri May 1 21:05:40 2009 New Revision: 191731 URL: http://svn.freebsd.org/changeset/base/191731 Log: Rename MAC Framework-internal macros used to invoke policy entry points: MAC_BOOLEAN -> MAC_POLICY_BOOLEAN MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP MAC_CHECK -> MAC_POLICY_CHECK MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE MAC_GRANT -> MAC_POLICY_GRANT MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP This frees up those macro names for use in wrapping calls into the MAC Framework from the remainder of the kernel. Obtained from: TrustedBSD Project Modified: head/sys/security/mac/mac_atalk.c head/sys/security/mac/mac_audit.c head/sys/security/mac/mac_cred.c head/sys/security/mac/mac_inet.c head/sys/security/mac/mac_inet6.c head/sys/security/mac/mac_internal.h head/sys/security/mac/mac_net.c head/sys/security/mac/mac_pipe.c head/sys/security/mac/mac_posix_sem.c head/sys/security/mac/mac_posix_shm.c head/sys/security/mac/mac_priv.c head/sys/security/mac/mac_process.c head/sys/security/mac/mac_socket.c head/sys/security/mac/mac_system.c head/sys/security/mac/mac_sysv_msg.c head/sys/security/mac/mac_sysv_sem.c head/sys/security/mac/mac_sysv_shm.c head/sys/security/mac/mac_vfs.c Modified: head/sys/security/mac/mac_atalk.c ============================================================================== --- head/sys/security/mac/mac_atalk.c Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_atalk.c Fri May 1 21:05:40 2009 (r191731) @@ -64,7 +64,7 @@ mac_netatalk_aarp_send(struct ifnet *ifp mlabel = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_PERFORM_NOSLEEP(netatalk_aarp_send, ifp, ifp->if_label, m, + MAC_POLICY_PERFORM_NOSLEEP(netatalk_aarp_send, ifp, ifp->if_label, m, mlabel); MAC_IFNET_UNLOCK(ifp); } Modified: head/sys/security/mac/mac_audit.c ============================================================================== --- head/sys/security/mac/mac_audit.c Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_audit.c Fri May 1 21:05:40 2009 (r191731) @@ -66,7 +66,7 @@ mac_cred_check_setaudit(struct ucred *cr { int error; - MAC_CHECK_NOSLEEP(cred_check_setaudit, cred, ai); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit, cred, ai); MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai); return (error); @@ -80,7 +80,7 @@ mac_cred_check_setaudit_addr(struct ucre { int error; - MAC_CHECK_NOSLEEP(cred_check_setaudit_addr, cred, aia); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit_addr, cred, aia); MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia); return (error); @@ -93,7 +93,7 @@ mac_cred_check_setauid(struct ucred *cre { int error; - MAC_CHECK_NOSLEEP(cred_check_setauid, cred, auid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setauid, cred, auid); MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid); return (error); @@ -107,7 +107,7 @@ mac_system_check_audit(struct ucred *cre { int error; - MAC_CHECK_NOSLEEP(system_check_audit, cred, record, length); + MAC_POLICY_CHECK_NOSLEEP(system_check_audit, cred, record, length); MAC_CHECK_PROBE3(system_check_audit, error, cred, record, length); return (error); @@ -125,7 +125,7 @@ mac_system_check_auditctl(struct ucred * ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl"); vl = (vp != NULL) ? vp->v_label : NULL; - MAC_CHECK(system_check_auditctl, cred, vp, vl); + MAC_POLICY_CHECK(system_check_auditctl, cred, vp, vl); MAC_CHECK_PROBE2(system_check_auditctl, error, cred, vp); return (error); @@ -138,7 +138,7 @@ mac_system_check_auditon(struct ucred *c { int error; - MAC_CHECK_NOSLEEP(system_check_auditon, cred, cmd); + MAC_POLICY_CHECK_NOSLEEP(system_check_auditon, cred, cmd); MAC_CHECK_PROBE2(system_check_auditon, error, cred, cmd); return (error); Modified: head/sys/security/mac/mac_cred.c ============================================================================== --- head/sys/security/mac/mac_cred.c Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_cred.c Fri May 1 21:05:40 2009 (r191731) @@ -82,7 +82,7 @@ mac_cred_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(cred_init_label, label); + MAC_POLICY_PERFORM(cred_init_label, label); return (label); } @@ -100,7 +100,7 @@ void mac_cred_label_free(struct label *label) { - MAC_PERFORM_NOSLEEP(cred_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label); mac_labelzone_free(label); } @@ -127,7 +127,7 @@ void mac_cred_associate_nfsd(struct ucred *cred) { - MAC_PERFORM_NOSLEEP(cred_associate_nfsd, cred); + MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred); } /* @@ -138,7 +138,7 @@ void mac_cred_create_swapper(struct ucred *cred) { - MAC_PERFORM_NOSLEEP(cred_create_swapper, cred); + MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred); } /* @@ -149,7 +149,7 @@ void mac_cred_create_init(struct ucred *cred) { - MAC_PERFORM_NOSLEEP(cred_create_init, cred); + MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred); } int @@ -158,7 +158,7 @@ mac_cred_externalize_label(struct label { int error; - MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); + MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); return (error); } @@ -168,7 +168,7 @@ mac_cred_internalize_label(struct label { int error; - MAC_INTERNALIZE(cred, label, string); + MAC_POLICY_INTERNALIZE(cred, label, string); return (error); } @@ -182,7 +182,8 @@ void mac_cred_copy(struct ucred *src, struct ucred *dest) { - MAC_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, dest->cr_label); + MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label, + dest->cr_label); } /* @@ -194,7 +195,7 @@ void mac_cred_relabel(struct ucred *cred, struct label *newlabel) { - MAC_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); + MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel); } MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *", @@ -205,7 +206,7 @@ mac_cred_check_relabel(struct ucred *cre { int error; - MAC_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel); + MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel); MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel); return (error); @@ -218,7 +219,7 @@ mac_cred_check_setuid(struct ucred *cred { int error; - MAC_CHECK_NOSLEEP(cred_check_setuid, cred, uid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid); MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid); return (error); @@ -231,7 +232,7 @@ mac_cred_check_seteuid(struct ucred *cre { int error; - MAC_CHECK_NOSLEEP(cred_check_seteuid, cred, euid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid); MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid); return (error); @@ -244,7 +245,7 @@ mac_cred_check_setgid(struct ucred *cred { int error; - MAC_CHECK_NOSLEEP(cred_check_setgid, cred, gid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid); MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid); return (error); @@ -257,7 +258,7 @@ mac_cred_check_setegid(struct ucred *cre { int error; - MAC_CHECK_NOSLEEP(cred_check_setegid, cred, egid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid); MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid); return (error); @@ -271,7 +272,7 @@ mac_cred_check_setgroups(struct ucred *c { int error; - MAC_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset); MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset); return (error); @@ -285,7 +286,7 @@ mac_cred_check_setreuid(struct ucred *cr { int error; - MAC_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid); MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid); return (error); @@ -299,7 +300,7 @@ mac_cred_check_setregid(struct ucred *cr { int error; - MAC_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid); MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid); return (error); @@ -314,7 +315,7 @@ mac_cred_check_setresuid(struct ucred *c { int error; - MAC_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid); MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid, suid); @@ -330,7 +331,7 @@ mac_cred_check_setresgid(struct ucred *c { int error; - MAC_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid); + MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid); MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid, sgid); @@ -345,7 +346,7 @@ mac_cred_check_visible(struct ucred *cr1 { int error; - MAC_CHECK_NOSLEEP(cred_check_visible, cr1, cr2); + MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2); MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2); return (error); Modified: head/sys/security/mac/mac_inet.c ============================================================================== --- head/sys/security/mac/mac_inet.c Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_inet.c Fri May 1 21:05:40 2009 (r191731) @@ -85,11 +85,11 @@ mac_inpcb_label_alloc(int flag) if (label == NULL) return (NULL); if (flag & M_WAITOK) - MAC_CHECK(inpcb_init_label, label, flag); + MAC_POLICY_CHECK(inpcb_init_label, label, flag); else - MAC_CHECK_NOSLEEP(inpcb_init_label, label, flag); + MAC_POLICY_CHECK_NOSLEEP(inpcb_init_label, label, flag); if (error) { - MAC_PERFORM_NOSLEEP(inpcb_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -120,11 +120,11 @@ mac_ipq_label_alloc(int flag) return (NULL); if (flag & M_WAITOK) - MAC_CHECK(ipq_init_label, label, flag); + MAC_POLICY_CHECK(ipq_init_label, label, flag); else - MAC_CHECK_NOSLEEP(ipq_init_label, label, flag); + MAC_POLICY_CHECK_NOSLEEP(ipq_init_label, label, flag); if (error) { - MAC_PERFORM_NOSLEEP(ipq_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -148,7 +148,7 @@ static void mac_inpcb_label_free(struct label *label) { - MAC_PERFORM_NOSLEEP(inpcb_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label); mac_labelzone_free(label); } @@ -166,7 +166,7 @@ static void mac_ipq_label_free(struct label *label) { - MAC_PERFORM_NOSLEEP(ipq_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label); mac_labelzone_free(label); } @@ -184,7 +184,7 @@ void mac_inpcb_create(struct socket *so, struct inpcb *inp) { - MAC_PERFORM_NOSLEEP(inpcb_create, so, so->so_label, inp, + MAC_POLICY_PERFORM_NOSLEEP(inpcb_create, so, so->so_label, inp, inp->inp_label); } @@ -195,7 +195,8 @@ mac_ipq_reassemble(struct ipq *q, struct label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m, label); + MAC_POLICY_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m, + label); } void @@ -206,7 +207,8 @@ mac_netinet_fragment(struct mbuf *m, str mlabel = mac_mbuf_to_label(m); fraglabel = mac_mbuf_to_label(frag); - MAC_PERFORM_NOSLEEP(netinet_fragment, m, mlabel, frag, fraglabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_fragment, m, mlabel, frag, + fraglabel); } void @@ -216,7 +218,7 @@ mac_ipq_create(struct mbuf *m, struct ip label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label); + MAC_POLICY_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label); } void @@ -227,7 +229,7 @@ mac_inpcb_create_mbuf(struct inpcb *inp, INP_LOCK_ASSERT(inp); mlabel = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m, + MAC_POLICY_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m, mlabel); } @@ -240,7 +242,7 @@ mac_ipq_match(struct mbuf *m, struct ipq label = mac_mbuf_to_label(m); result = 1; - MAC_BOOLEAN_NOSLEEP(ipq_match, &&, m, label, q, q->ipq_label); + MAC_POLICY_BOOLEAN_NOSLEEP(ipq_match, &&, m, label, q, q->ipq_label); return (result); } @@ -253,7 +255,8 @@ mac_netinet_arp_send(struct ifnet *ifp, mlabel = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m, mlabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m, + mlabel); MAC_IFNET_UNLOCK(ifp); } @@ -265,8 +268,8 @@ mac_netinet_icmp_reply(struct mbuf *mrec mrecvlabel = mac_mbuf_to_label(mrecv); msendlabel = mac_mbuf_to_label(msend); - MAC_PERFORM_NOSLEEP(netinet_icmp_reply, mrecv, mrecvlabel, msend, - msendlabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_reply, mrecv, mrecvlabel, + msend, msendlabel); } void @@ -276,7 +279,7 @@ mac_netinet_icmp_replyinplace(struct mbu label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label); + MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label); } void @@ -287,7 +290,7 @@ mac_netinet_igmp_send(struct ifnet *ifp, mlabel = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m, + MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m, mlabel); MAC_IFNET_UNLOCK(ifp); } @@ -299,7 +302,7 @@ mac_netinet_tcp_reply(struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(netinet_tcp_reply, m, label); + MAC_POLICY_PERFORM_NOSLEEP(netinet_tcp_reply, m, label); } void @@ -309,7 +312,7 @@ mac_ipq_update(struct mbuf *m, struct ip label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label); + MAC_POLICY_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label); } MAC_CHECK_PROBE_DEFINE2(inpcb_check_deliver, "struct inpcb *", @@ -325,7 +328,7 @@ mac_inpcb_check_deliver(struct inpcb *in label = mac_mbuf_to_label(m); - MAC_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m, + MAC_POLICY_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m, label); MAC_CHECK_PROBE2(inpcb_check_deliver, error, inp, m); @@ -342,7 +345,8 @@ mac_inpcb_check_visible(struct ucred *cr INP_LOCK_ASSERT(inp); - MAC_CHECK_NOSLEEP(inpcb_check_visible, cred, inp, inp->inp_label); + MAC_POLICY_CHECK_NOSLEEP(inpcb_check_visible, cred, inp, + inp->inp_label); MAC_CHECK_PROBE2(inpcb_check_visible, error, cred, inp); return (error); @@ -355,7 +359,7 @@ mac_inpcb_sosetlabel(struct socket *so, INP_WLOCK_ASSERT(inp); SOCK_LOCK_ASSERT(so); - MAC_PERFORM_NOSLEEP(inpcb_sosetlabel, so, so->so_label, inp, + MAC_POLICY_PERFORM_NOSLEEP(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); } @@ -370,8 +374,8 @@ mac_netinet_firewall_reply(struct mbuf * mrecvlabel = mac_mbuf_to_label(mrecv); msendlabel = mac_mbuf_to_label(msend); - MAC_PERFORM_NOSLEEP(netinet_firewall_reply, mrecv, mrecvlabel, msend, - msendlabel); + MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_reply, mrecv, mrecvlabel, + msend, msendlabel); } void @@ -383,7 +387,7 @@ mac_netinet_firewall_send(struct mbuf *m label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(netinet_firewall_send, m, label); + MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_send, m, label); } /* @@ -400,7 +404,7 @@ mac_syncache_destroy(struct label **labe { if (*label != NULL) { - MAC_PERFORM_NOSLEEP(syncache_destroy_label, *label); + MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label, *label); mac_labelzone_free(*label); *label = NULL; } @@ -422,9 +426,11 @@ mac_syncache_init(struct label **label) * MAC_PERFORM so we can propagate allocation failures back * to the syncache code. */ - MAC_CHECK_NOSLEEP(syncache_init_label, *label, M_NOWAIT); + MAC_POLICY_CHECK_NOSLEEP(syncache_init_label, *label, + M_NOWAIT); if (error) { - MAC_PERFORM_NOSLEEP(syncache_destroy_label, *label); + MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label, + *label); mac_labelzone_free(*label); } return (error); @@ -439,7 +445,7 @@ mac_syncache_create(struct label *label, INP_WLOCK_ASSERT(inp); - MAC_PERFORM_NOSLEEP(syncache_create, label, inp); + MAC_POLICY_PERFORM_NOSLEEP(syncache_create, label, inp); } void @@ -451,5 +457,6 @@ mac_syncache_create_mbuf(struct label *s mlabel = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m, mlabel); + MAC_POLICY_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m, + mlabel); } Modified: head/sys/security/mac/mac_inet6.c ============================================================================== --- head/sys/security/mac/mac_inet6.c Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_inet6.c Fri May 1 21:05:40 2009 (r191731) @@ -71,11 +71,11 @@ mac_ip6q_label_alloc(int flag) return (NULL); if (flag & M_WAITOK) - MAC_CHECK(ip6q_init_label, label, flag); + MAC_POLICY_CHECK(ip6q_init_label, label, flag); else - MAC_CHECK_NOSLEEP(ip6q_init_label, label, flag); + MAC_POLICY_CHECK_NOSLEEP(ip6q_init_label, label, flag); if (error) { - MAC_PERFORM_NOSLEEP(ip6q_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -99,7 +99,7 @@ static void mac_ip6q_label_free(struct label *label) { - MAC_PERFORM_NOSLEEP(ip6q_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label); mac_labelzone_free(label); } @@ -120,7 +120,8 @@ mac_ip6q_reassemble(struct ip6q *q6, str label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m, label); + MAC_POLICY_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m, + label); } void @@ -130,7 +131,8 @@ mac_ip6q_create(struct mbuf *m, struct i label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(ip6q_create, m, label, q6, q6->ip6q_label); + MAC_POLICY_PERFORM_NOSLEEP(ip6q_create, m, label, q6, + q6->ip6q_label); } int @@ -142,7 +144,8 @@ mac_ip6q_match(struct mbuf *m, struct ip label = mac_mbuf_to_label(m); result = 1; - MAC_BOOLEAN_NOSLEEP(ip6q_match, &&, m, label, q6, q6->ip6q_label); + MAC_POLICY_BOOLEAN_NOSLEEP(ip6q_match, &&, m, label, q6, + q6->ip6q_label); return (result); } @@ -154,7 +157,8 @@ mac_ip6q_update(struct mbuf *m, struct i label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(ip6q_update, m, label, q6, q6->ip6q_label); + MAC_POLICY_PERFORM_NOSLEEP(ip6q_update, m, label, q6, + q6->ip6q_label); } void @@ -164,6 +168,6 @@ mac_netinet6_nd6_send(struct ifnet *ifp, mlabel = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m, + MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m, mlabel); } Modified: head/sys/security/mac/mac_internal.h ============================================================================== --- head/sys/security/mac/mac_internal.h Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_internal.h Fri May 1 21:05:40 2009 (r191731) @@ -257,11 +257,11 @@ int vn_setlabel(struct vnode *vp, struct * specific entry point. They come in two forms: one which permits policies * to sleep/block, and another that does not. * - * MAC_CHECK performs the designated check by walking the policy module list - * and checking with each as to how it feels about the request. Note that it - * returns its value via 'error' in the scope of the caller. + * MAC_POLICY_CHECK performs the designated check by walking the policy + * module list and checking with each as to how it feels about the request. + * Note that it returns its value via 'error' in the scope of the caller. */ -#define MAC_CHECK(check, args...) do { \ +#define MAC_POLICY_CHECK(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ @@ -283,7 +283,7 @@ int vn_setlabel(struct vnode *vp, struct } \ } while (0) -#define MAC_CHECK_NOSLEEP(check, args...) do { \ +#define MAC_POLICY_CHECK_NOSLEEP(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = 0; \ @@ -306,13 +306,13 @@ int vn_setlabel(struct vnode *vp, struct } while (0) /* - * MAC_GRANT performs the designated check by walking the policy module list - * and checking with each as to how it feels about the request. Unlike - * MAC_CHECK, it grants if any policies return '0', and otherwise returns - * EPERM. Note that it returns its value via 'error' in the scope of the - * caller. + * MAC_POLICY_GRANT performs the designated check by walking the policy + * module list and checking with each as to how it feels about the request. + * Unlike MAC_POLICY_CHECK, it grants if any policies return '0', and + * otherwise returns EPERM. Note that it returns its value via 'error' in + * the scope of the caller. */ -#define MAC_GRANT_NOSLEEP(check, args...) do { \ +#define MAC_POLICY_GRANT_NOSLEEP(check, args...) do { \ struct mac_policy_conf *mpc; \ \ error = EPERM; \ @@ -336,13 +336,13 @@ int vn_setlabel(struct vnode *vp, struct } while (0) /* - * MAC_BOOLEAN performs the designated boolean composition by walking the - * module list, invoking each instance of the operation, and combining the - * results using the passed C operator. Note that it returns its value via - * 'result' in the scope of the caller, which should be initialized by the - * caller in a meaningful way to get a meaningful result. + * MAC_POLICY_BOOLEAN performs the designated boolean composition by walking + * the module list, invoking each instance of the operation, and combining + * the results using the passed C operator. Note that it returns its value + * via 'result' in the scope of the caller, which should be initialized by + * the caller in a meaningful way to get a meaningful result. */ -#define MAC_BOOLEAN(operation, composition, args...) do { \ +#define MAC_POLICY_BOOLEAN(operation, composition, args...) do { \ struct mac_policy_conf *mpc; \ \ LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ @@ -362,7 +362,7 @@ int vn_setlabel(struct vnode *vp, struct } \ } while (0) -#define MAC_BOOLEAN_NOSLEEP(operation, composition, args...) do { \ +#define MAC_POLICY_BOOLEAN_NOSLEEP(operation, composition, args...) do {\ struct mac_policy_conf *mpc; \ \ LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ @@ -383,13 +383,13 @@ int vn_setlabel(struct vnode *vp, struct } while (0) /* - * MAC_EXTERNALIZE queries each policy to see if it can generate an + * MAC_POLICY_EXTERNALIZE queries each policy to see if it can generate an * externalized version of a label element by name. Policies declare whether * they have matched a particular element name, parsed from the string by - * MAC_EXTERNALIZE, and an error is returned if any element is matched by no - * policy. + * MAC_POLICY_EXTERNALIZE, and an error is returned if any element is matched + * by no policy. */ -#define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \ +#define MAC_POLICY_EXTERNALIZE(type, label, elementlist, outbuf, \ outbuflen) do { \ int claimed, first, ignorenotfound, savedlen; \ char *element_name, *element_temp; \ @@ -415,7 +415,7 @@ int vn_setlabel(struct vnode *vp, struct break; \ } \ claimed = 0; \ - MAC_CHECK(type ## _externalize_label, label, \ + MAC_POLICY_CHECK(type ## _externalize_label, label, \ element_name, &sb, &claimed); \ if (error) \ break; \ @@ -433,11 +433,11 @@ int vn_setlabel(struct vnode *vp, struct } while (0) /* - * MAC_INTERNALIZE presents parsed element names and data to each policy to - * see if any is willing to claim it and internalize the label data. If no - * policies match, an error is returned. + * MAC_POLICY_INTERNALIZE presents parsed element names and data to each + * policy to see if any is willing to claim it and internalize the label + * data. If no policies match, an error is returned. */ -#define MAC_INTERNALIZE(type, label, instring) do { \ +#define MAC_POLICY_INTERNALIZE(type, label, instring) do { \ char *element, *element_name, *element_data; \ int claimed; \ \ @@ -451,7 +451,7 @@ int vn_setlabel(struct vnode *vp, struct break; \ } \ claimed = 0; \ - MAC_CHECK(type ## _internalize_label, label, \ + MAC_POLICY_CHECK(type ## _internalize_label, label, \ element_name, element_data, &claimed); \ if (error) \ break; \ @@ -464,10 +464,10 @@ int vn_setlabel(struct vnode *vp, struct } while (0) /* - * MAC_PERFORM performs the designated operation by walking the policy module - * list and invoking that operation for each policy. + * MAC_POLICY_PERFORM performs the designated operation by walking the policy + * module list and invoking that operation for each policy. */ -#define MAC_PERFORM(operation, args...) do { \ +#define MAC_POLICY_PERFORM(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ @@ -484,7 +484,7 @@ int vn_setlabel(struct vnode *vp, struct } \ } while (0) -#define MAC_PERFORM_NOSLEEP(operation, args...) do { \ +#define MAC_POLICY_PERFORM_NOSLEEP(operation, args...) do { \ struct mac_policy_conf *mpc; \ \ LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ Modified: head/sys/security/mac/mac_net.c ============================================================================== --- head/sys/security/mac/mac_net.c Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_net.c Fri May 1 21:05:40 2009 (r191731) @@ -110,7 +110,7 @@ mac_bpfdesc_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(bpfdesc_init_label, label); + MAC_POLICY_PERFORM(bpfdesc_init_label, label); return (label); } @@ -130,7 +130,7 @@ mac_ifnet_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(ifnet_init_label, label); + MAC_POLICY_PERFORM(ifnet_init_label, label); return (label); } @@ -154,11 +154,11 @@ mac_mbuf_tag_init(struct m_tag *tag, int mac_init_label(label); if (flag & M_WAITOK) - MAC_CHECK(mbuf_init_label, label, flag); + MAC_POLICY_CHECK(mbuf_init_label, label, flag); else - MAC_CHECK_NOSLEEP(mbuf_init_label, label, flag); + MAC_POLICY_CHECK_NOSLEEP(mbuf_init_label, label, flag); if (error) { - MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label); mac_destroy_label(label); } return (error); @@ -191,7 +191,7 @@ static void mac_bpfdesc_label_free(struct label *label) { - MAC_PERFORM_NOSLEEP(bpfdesc_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_destroy_label, label); mac_labelzone_free(label); } @@ -209,7 +209,7 @@ static void mac_ifnet_label_free(struct label *label) { - MAC_PERFORM_NOSLEEP(ifnet_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(ifnet_destroy_label, label); mac_labelzone_free(label); } @@ -230,7 +230,7 @@ mac_mbuf_tag_destroy(struct m_tag *tag) label = (struct label *)(tag+1); - MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label); mac_destroy_label(label); } @@ -250,7 +250,7 @@ mac_mbuf_tag_copy(struct m_tag *src, str * mac_mbuf_tag_init() is called on the target tag in m_tag_copy(), * so we don't need to call it here. */ - MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); + MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); } void @@ -261,14 +261,14 @@ mac_mbuf_copy(struct mbuf *m_from, struc src_label = mac_mbuf_to_label(m_from); dest_label = mac_mbuf_to_label(m_to); - MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); + MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); } static void mac_ifnet_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM_NOSLEEP(ifnet_copy_label, src, dest); + MAC_POLICY_PERFORM_NOSLEEP(ifnet_copy_label, src, dest); } static int @@ -277,7 +277,7 @@ mac_ifnet_externalize_label(struct label { int error; - MAC_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen); + MAC_POLICY_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen); return (error); } @@ -287,7 +287,7 @@ mac_ifnet_internalize_label(struct label { int error; - MAC_INTERNALIZE(ifnet, label, string); + MAC_POLICY_INTERNALIZE(ifnet, label, string); return (error); } @@ -297,7 +297,7 @@ mac_ifnet_create(struct ifnet *ifp) { MAC_IFNET_LOCK(ifp); - MAC_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label); + MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label); MAC_IFNET_UNLOCK(ifp); } @@ -305,7 +305,7 @@ void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) { - MAC_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label); + MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label); } void @@ -317,7 +317,8 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d, label = mac_mbuf_to_label(m); - MAC_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m, label); + MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m, + label); } void @@ -328,7 +329,8 @@ mac_ifnet_create_mbuf(struct ifnet *ifp, label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, label); + MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, + label); MAC_IFNET_UNLOCK(ifp); } @@ -343,7 +345,7 @@ mac_bpfdesc_check_receive(struct bpf_d * BPFD_LOCK_ASSERT(d); MAC_IFNET_LOCK(ifp); - MAC_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, + MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label); MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); MAC_IFNET_UNLOCK(ifp); @@ -365,7 +367,7 @@ mac_ifnet_check_transmit(struct ifnet *i label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m, + MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m, label); MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); MAC_IFNET_UNLOCK(ifp); @@ -463,15 +465,15 @@ mac_ifnet_ioctl_set(struct ucred *cred, } MAC_IFNET_LOCK(ifp); - MAC_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, ifp->if_label, - intlabel); + MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, + ifp->if_label, intlabel); if (error) { MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label, + MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label, intlabel); MAC_IFNET_UNLOCK(ifp); Modified: head/sys/security/mac/mac_pipe.c ============================================================================== --- head/sys/security/mac/mac_pipe.c Fri May 1 20:53:37 2009 (r191730) +++ head/sys/security/mac/mac_pipe.c Fri May 1 21:05:40 2009 (r191731) @@ -66,7 +66,7 @@ mac_pipe_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(pipe_init_label, label); + MAC_POLICY_PERFORM(pipe_init_label, label); return (label); } @@ -84,7 +84,7 @@ void mac_pipe_label_free(struct label *label) { - MAC_PERFORM_NOSLEEP(pipe_destroy_label, label); + MAC_POLICY_PERFORM_NOSLEEP(pipe_destroy_label, label); mac_labelzone_free(label); } @@ -102,7 +102,7 @@ void mac_pipe_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM_NOSLEEP(pipe_copy_label, src, dest); + MAC_POLICY_PERFORM_NOSLEEP(pipe_copy_label, src, dest); } int @@ -111,7 +111,7 @@ mac_pipe_externalize_label(struct label { int error; - MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen); + MAC_POLICY_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen); return (error); } @@ -121,7 +121,7 @@ mac_pipe_internalize_label(struct label { int error; - MAC_INTERNALIZE(pipe, label, string); + MAC_POLICY_INTERNALIZE(pipe, label, string); return (error); } @@ -130,7 +130,7 @@ void mac_pipe_create(struct ucred *cred, struct pipepair *pp) { - MAC_PERFORM_NOSLEEP(pipe_create, cred, pp, pp->pp_label); + MAC_POLICY_PERFORM_NOSLEEP(pipe_create, cred, pp, pp->pp_label); } static void @@ -138,7 +138,8 @@ mac_pipe_relabel(struct ucred *cred, str struct label *newlabel) { - MAC_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label, newlabel); + MAC_POLICY_PERFORM_NOSLEEP(pipe_relabel, cred, pp, pp->pp_label, + newlabel); } MAC_CHECK_PROBE_DEFINE4(pipe_check_ioctl, "struct ucred *", @@ -152,8 +153,8 @@ mac_pipe_check_ioctl(struct ucred *cred, mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK_NOSLEEP(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, - data); + MAC_POLICY_CHECK_NOSLEEP(pipe_check_ioctl, cred, pp, pp->pp_label, + cmd, data); MAC_CHECK_PROBE4(pipe_check_ioctl, error, cred, pp, cmd, data); return (error); @@ -169,7 +170,7 @@ mac_pipe_check_poll(struct ucred *cred, mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK_NOSLEEP(pipe_check_poll, cred, pp, pp->pp_label); + MAC_POLICY_CHECK_NOSLEEP(pipe_check_poll, cred, pp, pp->pp_label); MAC_CHECK_PROBE2(pipe_check_poll, error, cred, pp); return (error); @@ -185,7 +186,7 @@ mac_pipe_check_read(struct ucred *cred, mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK_NOSLEEP(pipe_check_read, cred, pp, pp->pp_label); + MAC_POLICY_CHECK_NOSLEEP(pipe_check_read, cred, pp, pp->pp_label); MAC_CHECK_PROBE2(pipe_check_read, error, cred, pp); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***