PERFORCE change 41725 for review
Robert Watson
rwatson at FreeBSD.org
Sat Nov 8 05:42:59 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=41725
Change 41725 by rwatson at rwatson_paprika on 2003/11/07 21:42:47
Move to a (struct label *) pointer in network-related data
structures, rather than an embedded (struct label). This
means that changes in struct label won't change the ABI for
network drivers, that we can vary the size of struct label
each boot, etc. Use the UMA label zone for struct bpfdesc,
struct ipq, struct ifnet, and struct socket. struct mbuf
already uses space allocated external to the mbuf header
via m_tag. While here, correct a bug wherein the normal
socket label destroy routine was called on the socket peer
label when aborting a socket label allocation, instead of
the socket peer label destroy routine.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/net/bpfdesc.h#9 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_var.h#18 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_var.h#17 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#6 edit
.. //depot/projects/trustedbsd/mac/sys/sys/socketvar.h#33 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/net/bpfdesc.h#9 (text+ko) ====
@@ -43,7 +43,6 @@
#ifndef _NET_BPFDESC_H_
#define _NET_BPFDESC_H_
-#include <sys/_label.h>
#include <sys/callout.h>
#include <sys/selinfo.h>
@@ -93,7 +92,7 @@
#endif
struct mtx bd_mtx; /* mutex for this descriptor */
struct callout bd_callout; /* for BPF timeouts with select */
- struct label bd_label; /* MAC label for descriptor */
+ struct label *bd_label; /* MAC label for descriptor */
};
/* Values for bd_state */
==== //depot/projects/trustedbsd/mac/sys/net/if_var.h#18 (text+ko) ====
@@ -74,7 +74,6 @@
struct ether_header;
#endif
-#include <sys/_label.h> /* struct label */
#include <sys/queue.h> /* get TAILQ macros */
#ifdef _KERNEL
@@ -177,7 +176,7 @@
struct ifqueue *if_poll_slowq; /* input queue for slow devices */
struct ifprefixhead if_prefixhead; /* list of prefixes per if */
u_int8_t *if_broadcastaddr; /* linklevel broadcast bytestring */
- struct label if_label; /* interface MAC label */
+ struct label *if_label; /* interface MAC label */
void *if_afdata[AF_MAX];
int if_afdata_initialized;
==== //depot/projects/trustedbsd/mac/sys/netinet/ip_var.h#17 (text+ko) ====
@@ -39,10 +39,6 @@
#include <sys/queue.h>
-#ifdef _KERNEL
-#include <sys/_label.h>
-#endif
-
/*
* Overlay for ip header used by other protocols (tcp, udp).
*/
@@ -71,7 +67,7 @@
u_char ipq_nfrags; /* # frags in this packet */
u_int32_t ipq_div_info; /* ipfw divert port & flags */
u_int16_t ipq_div_cookie; /* ipfw divert cookie */
- struct label ipq_label; /* MAC label */
+ struct label *ipq_label; /* MAC label */
};
#endif /* _KERNEL */
==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#6 (text+ko) ====
@@ -91,7 +91,8 @@
&nmacsockets, 0, "number of sockets in use");
#endif
-static void mac_destroy_socket_label(struct label *label);
+static void mac_socket_label_free(struct label *label);
+
static struct label *
mbuf_to_label(struct mbuf *mbuf)
@@ -105,13 +106,22 @@
return (label);
}
+static struct label *
+mac_bpfdesc_label_alloc(void)
+{
+ struct label *label;
+
+ label = mac_labelzone_alloc(M_WAITOK);
+ MAC_PERFORM(init_bpfdesc_label, label);
+ MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
+ return (label);
+}
+
void
mac_init_bpfdesc(struct bpf_d *bpf_d)
{
- mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
- MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
+ bpf_d->bd_label = mac_bpfdesc_label_alloc();
}
static void
@@ -123,28 +133,52 @@
MAC_DEBUG_COUNTER_INC(&nmacifnets);
}
+static struct label *
+mac_ifnet_label_alloc(void)
+{
+ struct label *label;
+
+ label = mac_labelzone_alloc(M_WAITOK);
+ MAC_PERFORM(init_ifnet_label, label);
+ MAC_DEBUG_COUNTER_INC(&nmacifnets);
+ return (label);
+}
+
void
mac_init_ifnet(struct ifnet *ifp)
{
- mac_init_ifnet_label(&ifp->if_label);
+ ifp->if_label = mac_ifnet_label_alloc();
}
-int
-mac_init_ipq(struct ipq *ipq, int flag)
+static struct label *
+mac_ipq_label_alloc(int flag)
{
+ struct label *label;
int error;
- mac_init_label(&ipq->ipq_label);
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
- MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag);
+ MAC_CHECK(init_ipq_label, label, flag);
if (error) {
- MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
- mac_destroy_label(&ipq->ipq_label);
- } else {
- MAC_DEBUG_COUNTER_INC(&nmacipqs);
+ MAC_PERFORM(destroy_ipq_label, label);
+ mac_labelzone_free(label);
+ return (NULL);
}
- return (error);
+ MAC_DEBUG_COUNTER_INC(&nmacipqs);
+ return (label);
+}
+
+int
+mac_init_ipq(struct ipq *ipq, int flag)
+{
+
+ ipq->ipq_label = mac_ipq_label_alloc(flag);
+ if (ipq->ipq_label == NULL)
+ return (ENOMEM);
+ return (0);
}
int
@@ -213,45 +247,76 @@
return (error);
}
-static int
-mac_init_socket_peer_label(struct label *label, int flag)
+static struct label *
+mac_socket_label_alloc(int flag)
{
+ struct label *label;
int error;
- mac_init_label(label);
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
- MAC_CHECK(init_socket_peer_label, label, flag);
+ MAC_CHECK(init_socket_label, label, flag);
if (error) {
MAC_PERFORM(destroy_socket_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
+ return (NULL);
}
+ MAC_DEBUG_COUNTER_INC(&nmacsockets);
+ return (label);
+}
- return (error);
+static struct label *
+mac_socket_peer_label_alloc(int flag)
+{
+ struct label *label;
+ int error;
+
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
+
+ MAC_CHECK(init_socket_peer_label, label, flag);
+ if (error) {
+ MAC_PERFORM(destroy_socket_peer_label, label);
+ mac_labelzone_free(label);
+ return (NULL);
+ }
+ MAC_DEBUG_COUNTER_INC(&nmacsockets);
+ return (label);
}
int
-mac_init_socket(struct socket *socket, int flag)
+mac_init_socket(struct socket *so, int flag)
{
- int error;
- error = mac_init_socket_label(&socket->so_label, flag);
- if (error)
- return (error);
+ so->so_label = mac_socket_label_alloc(flag);
+ if (so->so_label == NULL)
+ return (ENOMEM);
+ so->so_peerlabel = mac_socket_peer_label_alloc(flag);
+ if (so->so_peerlabel == NULL) {
+ mac_socket_label_free(so->so_label);
+ so->so_label = NULL;
+ return (ENOMEM);
+ }
+ return (0);
+}
- error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
- if (error)
- mac_destroy_socket_label(&socket->so_label);
+static void
+mac_bpfdesc_label_free(struct label *label)
+{
- return (error);
+ MAC_PERFORM(destroy_bpfdesc_label, label);
+ MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
}
void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
- mac_destroy_label(&bpf_d->bd_label);
- MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
+ mac_bpfdesc_label_free(bpf_d->bd_label);
+ bpf_d->bd_label = NULL;
}
static void
@@ -263,20 +328,35 @@
MAC_DEBUG_COUNTER_DEC(&nmacifnets);
}
+static void
+mac_ifnet_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_ifnet_label, label);
+ MAC_DEBUG_COUNTER_DEC(&nmacifnets);
+}
+
void
mac_destroy_ifnet(struct ifnet *ifp)
{
- mac_destroy_ifnet_label(&ifp->if_label);
+ mac_ifnet_label_free(ifp->if_label);
+ ifp->if_label = NULL;
+}
+
+static void
+mac_ipq_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_ipq_label, label);
+ MAC_DEBUG_COUNTER_DEC(&nmacipqs);
}
void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
- mac_destroy_label(&ipq->ipq_label);
- MAC_DEBUG_COUNTER_DEC(&nmacipqs);
+ mac_ipq_label_free(ipq->ipq_label);
}
void
@@ -301,19 +381,29 @@
}
static void
-mac_destroy_socket_peer_label(struct label *label)
+mac_socket_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_socket_label, label);
+ MAC_DEBUG_COUNTER_DEC(&nmacsockets);
+}
+
+static void
+mac_socket_peer_label_free(struct label *label)
{
MAC_PERFORM(destroy_socket_peer_label, label);
- mac_destroy_label(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
void
mac_destroy_socket(struct socket *socket)
{
- mac_destroy_socket_label(&socket->so_label);
- mac_destroy_socket_peer_label(&socket->so_peerlabel);
+ mac_socket_label_free(socket->so_label);
+ socket->so_label = NULL;
+ mac_socket_peer_label_free(socket->so_peerlabel);
+ socket->so_peerlabel = NULL;
}
void
@@ -388,21 +478,21 @@
mac_create_ifnet(struct ifnet *ifnet)
{
- MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
+ MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label);
}
void
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
{
- MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
}
void
mac_create_socket(struct ucred *cred, struct socket *socket)
{
- MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
+ MAC_PERFORM(create_socket, cred, socket, socket->so_label);
}
void
@@ -410,8 +500,8 @@
struct socket *newsocket)
{
- MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
- newsocket, &newsocket->so_label);
+ MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label,
+ newsocket, newsocket->so_label);
}
static void
@@ -419,7 +509,7 @@
struct label *newlabel)
{
- MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
+ MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel);
}
void
@@ -430,7 +520,7 @@
label = mbuf_to_label(mbuf);
MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket,
- &socket->so_peerlabel);
+ socket->so_peerlabel);
}
void
@@ -439,7 +529,7 @@
{
MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
- &oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
+ oldsocket->so_label, newsocket, newsocket->so_peerlabel);
}
void
@@ -449,7 +539,7 @@
label = mbuf_to_label(datagram);
- MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
+ MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label,
datagram, label);
}
@@ -472,7 +562,7 @@
label = mbuf_to_label(fragment);
- MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label);
+ MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
}
void
@@ -494,7 +584,7 @@
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
+ MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
label);
}
@@ -505,7 +595,7 @@
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
+ MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf,
label);
}
@@ -516,7 +606,7 @@
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
+ MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf,
label);
}
@@ -530,7 +620,7 @@
newmbuflabel = mbuf_to_label(newmbuf);
MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
- ifnet, &ifnet->if_label, newmbuf, newmbuflabel);
+ ifnet, ifnet->if_label, newmbuf, newmbuflabel);
}
void
@@ -555,7 +645,7 @@
result = 1;
MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq,
- &ipq->ipq_label);
+ ipq->ipq_label);
return (result);
}
@@ -586,7 +676,7 @@
label = mbuf_to_label(fragment);
- MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label);
+ MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label);
}
int
@@ -598,7 +688,7 @@
label = mbuf_to_label(m);
if (m->m_pkthdr.rcvif != NULL)
- ifnetlabel = &m->m_pkthdr.rcvif->if_label;
+ ifnetlabel = m->m_pkthdr.rcvif->if_label;
else
ifnetlabel = NULL;
@@ -615,7 +705,7 @@
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
+ MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf,
label);
}
@@ -627,8 +717,8 @@
if (!mac_enforce_network)
return (0);
- MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
- &ifnet->if_label);
+ MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
+ ifnet->if_label);
return (error);
}
@@ -646,7 +736,7 @@
label = mbuf_to_label(mbuf);
- MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
+ MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf,
label);
return (error);
@@ -661,7 +751,7 @@
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
+ MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
sockaddr);
return (error);
@@ -676,7 +766,7 @@
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
+ MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
sockaddr);
return (error);
@@ -693,7 +783,7 @@
label = mbuf_to_label(mbuf);
- MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
+ MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
label);
return (error);
@@ -707,7 +797,7 @@
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
+ MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
return (error);
}
@@ -719,7 +809,7 @@
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_receive, cred, so, &so->so_label);
+ MAC_CHECK(check_socket_receive, cred, so, so->so_label);
return (error);
}
@@ -730,7 +820,7 @@
{
int error;
- MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
+ MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label,
newlabel);
return (error);
@@ -744,7 +834,7 @@
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_send, cred, so, &so->so_label);
+ MAC_CHECK(check_socket_send, cred, so, so->so_label);
return (error);
}
@@ -757,7 +847,7 @@
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
+ MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
return (error);
}
@@ -786,7 +876,7 @@
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_ifnet_label(&ifnet->if_label, elements,
+ error = mac_externalize_ifnet_label(ifnet->if_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -840,14 +930,14 @@
return (error);
}
- MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
+ MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
&intlabel);
if (error) {
mac_destroy_ifnet_label(&intlabel);
return (error);
}
- MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
+ MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, &intlabel);
mac_destroy_ifnet_label(&intlabel);
return (0);
@@ -911,7 +1001,7 @@
}
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_socket_label(&so->so_label, elements,
+ error = mac_externalize_socket_label(so->so_label, elements,
buffer, mac->m_buflen);
if (error == 0)
error = copyout(buffer, mac->m_string, strlen(buffer)+1);
@@ -941,7 +1031,7 @@
}
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_socket_peer_label(&so->so_peerlabel,
+ error = mac_externalize_socket_peer_label(so->so_peerlabel,
elements, buffer, mac->m_buflen);
if (error == 0)
error = copyout(buffer, mac->m_string, strlen(buffer)+1);
==== //depot/projects/trustedbsd/mac/sys/sys/socketvar.h#33 (text+ko) ====
@@ -37,7 +37,6 @@
#ifndef _SYS_SOCKETVAR_H_
#define _SYS_SOCKETVAR_H_
-#include <sys/_label.h> /* for struct label */
#include <sys/queue.h> /* for TAILQ macros */
#include <sys/selinfo.h> /* for struct selinfo */
@@ -125,8 +124,8 @@
void (*so_upcall)(struct socket *, void *, int);
void *so_upcallarg;
struct ucred *so_cred; /* user credentials */
- struct label so_label; /* MAC label for socket */
- struct label so_peerlabel; /* cached MAC label for socket peer */
+ struct label *so_label; /* MAC label for socket */
+ struct label *so_peerlabel; /* cached MAC label for socket peer */
/* NB: generation count must not be first; easiest to make it last. */
so_gen_t so_gencnt; /* generation count */
void *so_emuldata; /* private data for emulators */
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list