From owner-p4-projects@FreeBSD.ORG Fri Nov 7 21:43:01 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9F10216A4D0; Fri, 7 Nov 2003 21:43:01 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6345F16A4CE for ; Fri, 7 Nov 2003 21:43:01 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A9D944003 for ; Fri, 7 Nov 2003 21:43:00 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hA85h0XJ025996 for ; Fri, 7 Nov 2003 21:43:00 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hA85gxrw025993 for perforce@freebsd.org; Fri, 7 Nov 2003 21:42:59 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Fri, 7 Nov 2003 21:42:59 -0800 (PST) Message-Id: <200311080542.hA85gxrw025993@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 41725 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2003 05:43:02 -0000 http://perforce.freebsd.org/chv.cgi?CH=41725 Change 41725 by rwatson@rwatson_paprika on 2003/11/07 21:42:47 Move to a (struct label *) pointer in network-related data structures, rather than an embedded (struct label). This means that changes in struct label won't change the ABI for network drivers, that we can vary the size of struct label each boot, etc. Use the UMA label zone for struct bpfdesc, struct ipq, struct ifnet, and struct socket. struct mbuf already uses space allocated external to the mbuf header via m_tag. While here, correct a bug wherein the normal socket label destroy routine was called on the socket peer label when aborting a socket label allocation, instead of the socket peer label destroy routine. Affected files ... .. //depot/projects/trustedbsd/mac/sys/net/bpfdesc.h#9 edit .. //depot/projects/trustedbsd/mac/sys/net/if_var.h#18 edit .. //depot/projects/trustedbsd/mac/sys/netinet/ip_var.h#17 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#6 edit .. //depot/projects/trustedbsd/mac/sys/sys/socketvar.h#33 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/net/bpfdesc.h#9 (text+ko) ==== @@ -43,7 +43,6 @@ #ifndef _NET_BPFDESC_H_ #define _NET_BPFDESC_H_ -#include #include #include @@ -93,7 +92,7 @@ #endif struct mtx bd_mtx; /* mutex for this descriptor */ struct callout bd_callout; /* for BPF timeouts with select */ - struct label bd_label; /* MAC label for descriptor */ + struct label *bd_label; /* MAC label for descriptor */ }; /* Values for bd_state */ ==== //depot/projects/trustedbsd/mac/sys/net/if_var.h#18 (text+ko) ==== @@ -74,7 +74,6 @@ struct ether_header; #endif -#include /* struct label */ #include /* get TAILQ macros */ #ifdef _KERNEL @@ -177,7 +176,7 @@ struct ifqueue *if_poll_slowq; /* input queue for slow devices */ struct ifprefixhead if_prefixhead; /* list of prefixes per if */ u_int8_t *if_broadcastaddr; /* linklevel broadcast bytestring */ - struct label if_label; /* interface MAC label */ + struct label *if_label; /* interface MAC label */ void *if_afdata[AF_MAX]; int if_afdata_initialized; ==== //depot/projects/trustedbsd/mac/sys/netinet/ip_var.h#17 (text+ko) ==== @@ -39,10 +39,6 @@ #include -#ifdef _KERNEL -#include -#endif - /* * Overlay for ip header used by other protocols (tcp, udp). */ @@ -71,7 +67,7 @@ u_char ipq_nfrags; /* # frags in this packet */ u_int32_t ipq_div_info; /* ipfw divert port & flags */ u_int16_t ipq_div_cookie; /* ipfw divert cookie */ - struct label ipq_label; /* MAC label */ + struct label *ipq_label; /* MAC label */ }; #endif /* _KERNEL */ ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#6 (text+ko) ==== @@ -91,7 +91,8 @@ &nmacsockets, 0, "number of sockets in use"); #endif -static void mac_destroy_socket_label(struct label *label); +static void mac_socket_label_free(struct label *label); + static struct label * mbuf_to_label(struct mbuf *mbuf) @@ -105,13 +106,22 @@ return (label); } +static struct label * +mac_bpfdesc_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_bpfdesc_label, label); + MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); + return (label); +} + void mac_init_bpfdesc(struct bpf_d *bpf_d) { - mac_init_label(&bpf_d->bd_label); - MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); - MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); + bpf_d->bd_label = mac_bpfdesc_label_alloc(); } static void @@ -123,28 +133,52 @@ MAC_DEBUG_COUNTER_INC(&nmacifnets); } +static struct label * +mac_ifnet_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_ifnet_label, label); + MAC_DEBUG_COUNTER_INC(&nmacifnets); + return (label); +} + void mac_init_ifnet(struct ifnet *ifp) { - mac_init_ifnet_label(&ifp->if_label); + ifp->if_label = mac_ifnet_label_alloc(); } -int -mac_init_ipq(struct ipq *ipq, int flag) +static struct label * +mac_ipq_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(&ipq->ipq_label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); - MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + MAC_CHECK(init_ipq_label, label, flag); if (error) { - MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); - mac_destroy_label(&ipq->ipq_label); - } else { - MAC_DEBUG_COUNTER_INC(&nmacipqs); + MAC_PERFORM(destroy_ipq_label, label); + mac_labelzone_free(label); + return (NULL); } - return (error); + MAC_DEBUG_COUNTER_INC(&nmacipqs); + return (label); +} + +int +mac_init_ipq(struct ipq *ipq, int flag) +{ + + ipq->ipq_label = mac_ipq_label_alloc(flag); + if (ipq->ipq_label == NULL) + return (ENOMEM); + return (0); } int @@ -213,45 +247,76 @@ return (error); } -static int -mac_init_socket_peer_label(struct label *label, int flag) +static struct label * +mac_socket_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); - MAC_CHECK(init_socket_peer_label, label, flag); + MAC_CHECK(init_socket_label, label, flag); if (error) { MAC_PERFORM(destroy_socket_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); + return (NULL); } + MAC_DEBUG_COUNTER_INC(&nmacsockets); + return (label); +} - return (error); +static struct label * +mac_socket_peer_label_alloc(int flag) +{ + struct label *label; + int error; + + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_peer_label, label); + mac_labelzone_free(label); + return (NULL); + } + MAC_DEBUG_COUNTER_INC(&nmacsockets); + return (label); } int -mac_init_socket(struct socket *socket, int flag) +mac_init_socket(struct socket *so, int flag) { - int error; - error = mac_init_socket_label(&socket->so_label, flag); - if (error) - return (error); + so->so_label = mac_socket_label_alloc(flag); + if (so->so_label == NULL) + return (ENOMEM); + so->so_peerlabel = mac_socket_peer_label_alloc(flag); + if (so->so_peerlabel == NULL) { + mac_socket_label_free(so->so_label); + so->so_label = NULL; + return (ENOMEM); + } + return (0); +} - error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); - if (error) - mac_destroy_socket_label(&socket->so_label); +static void +mac_bpfdesc_label_free(struct label *label) +{ - return (error); + MAC_PERFORM(destroy_bpfdesc_label, label); + MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { - MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); - mac_destroy_label(&bpf_d->bd_label); - MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); + mac_bpfdesc_label_free(bpf_d->bd_label); + bpf_d->bd_label = NULL; } static void @@ -263,20 +328,35 @@ MAC_DEBUG_COUNTER_DEC(&nmacifnets); } +static void +mac_ifnet_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_ifnet_label, label); + MAC_DEBUG_COUNTER_DEC(&nmacifnets); +} + void mac_destroy_ifnet(struct ifnet *ifp) { - mac_destroy_ifnet_label(&ifp->if_label); + mac_ifnet_label_free(ifp->if_label); + ifp->if_label = NULL; +} + +static void +mac_ipq_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_ipq_label, label); + MAC_DEBUG_COUNTER_DEC(&nmacipqs); } void mac_destroy_ipq(struct ipq *ipq) { - MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); - mac_destroy_label(&ipq->ipq_label); - MAC_DEBUG_COUNTER_DEC(&nmacipqs); + mac_ipq_label_free(ipq->ipq_label); } void @@ -301,19 +381,29 @@ } static void -mac_destroy_socket_peer_label(struct label *label) +mac_socket_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_socket_label, label); + MAC_DEBUG_COUNTER_DEC(&nmacsockets); +} + +static void +mac_socket_peer_label_free(struct label *label) { MAC_PERFORM(destroy_socket_peer_label, label); - mac_destroy_label(label); + MAC_DEBUG_COUNTER_DEC(&nmacsockets); } void mac_destroy_socket(struct socket *socket) { - mac_destroy_socket_label(&socket->so_label); - mac_destroy_socket_peer_label(&socket->so_peerlabel); + mac_socket_label_free(socket->so_label); + socket->so_label = NULL; + mac_socket_peer_label_free(socket->so_peerlabel); + socket->so_peerlabel = NULL; } void @@ -388,21 +478,21 @@ mac_create_ifnet(struct ifnet *ifnet) { - MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); + MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { - MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); + MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { - MAC_PERFORM(create_socket, cred, socket, &socket->so_label); + MAC_PERFORM(create_socket, cred, socket, socket->so_label); } void @@ -410,8 +500,8 @@ struct socket *newsocket) { - MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, - newsocket, &newsocket->so_label); + MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label, + newsocket, newsocket->so_label); } static void @@ -419,7 +509,7 @@ struct label *newlabel) { - MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); + MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel); } void @@ -430,7 +520,7 @@ label = mbuf_to_label(mbuf); MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket, - &socket->so_peerlabel); + socket->so_peerlabel); } void @@ -439,7 +529,7 @@ { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, - &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); + oldsocket->so_label, newsocket, newsocket->so_peerlabel); } void @@ -449,7 +539,7 @@ label = mbuf_to_label(datagram); - MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, + MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, datagram, label); } @@ -472,7 +562,7 @@ label = mbuf_to_label(fragment); - MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label); + MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label); } void @@ -494,7 +584,7 @@ label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, + MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf, label); } @@ -505,7 +595,7 @@ label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, + MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf, label); } @@ -516,7 +606,7 @@ label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, + MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf, label); } @@ -530,7 +620,7 @@ newmbuflabel = mbuf_to_label(newmbuf); MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, - ifnet, &ifnet->if_label, newmbuf, newmbuflabel); + ifnet, ifnet->if_label, newmbuf, newmbuflabel); } void @@ -555,7 +645,7 @@ result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq, - &ipq->ipq_label); + ipq->ipq_label); return (result); } @@ -586,7 +676,7 @@ label = mbuf_to_label(fragment); - MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label); + MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label); } int @@ -598,7 +688,7 @@ label = mbuf_to_label(m); if (m->m_pkthdr.rcvif != NULL) - ifnetlabel = &m->m_pkthdr.rcvif->if_label; + ifnetlabel = m->m_pkthdr.rcvif->if_label; else ifnetlabel = NULL; @@ -615,7 +705,7 @@ label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, + MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf, label); } @@ -627,8 +717,8 @@ if (!mac_enforce_network) return (0); - MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, - &ifnet->if_label); + MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet, + ifnet->if_label); return (error); } @@ -646,7 +736,7 @@ label = mbuf_to_label(mbuf); - MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, + MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, label); return (error); @@ -661,7 +751,7 @@ if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, + MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label, sockaddr); return (error); @@ -676,7 +766,7 @@ if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, + MAC_CHECK(check_socket_connect, cred, socket, socket->so_label, sockaddr); return (error); @@ -693,7 +783,7 @@ label = mbuf_to_label(mbuf); - MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, + MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf, label); return (error); @@ -707,7 +797,7 @@ if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); + MAC_CHECK(check_socket_listen, cred, socket, socket->so_label); return (error); } @@ -719,7 +809,7 @@ if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + MAC_CHECK(check_socket_receive, cred, so, so->so_label); return (error); } @@ -730,7 +820,7 @@ { int error; - MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, + MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label, newlabel); return (error); @@ -744,7 +834,7 @@ if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_send, cred, so, &so->so_label); + MAC_CHECK(check_socket_send, cred, so, so->so_label); return (error); } @@ -757,7 +847,7 @@ if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); + MAC_CHECK(check_socket_visible, cred, socket, socket->so_label); return (error); } @@ -786,7 +876,7 @@ } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_ifnet_label(&ifnet->if_label, elements, + error = mac_externalize_ifnet_label(ifnet->if_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -840,14 +930,14 @@ return (error); } - MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, + MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label, &intlabel); if (error) { mac_destroy_ifnet_label(&intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); + MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, &intlabel); mac_destroy_ifnet_label(&intlabel); return (0); @@ -911,7 +1001,7 @@ } buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_socket_label(&so->so_label, elements, + error = mac_externalize_socket_label(so->so_label, elements, buffer, mac->m_buflen); if (error == 0) error = copyout(buffer, mac->m_string, strlen(buffer)+1); @@ -941,7 +1031,7 @@ } buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_socket_peer_label(&so->so_peerlabel, + error = mac_externalize_socket_peer_label(so->so_peerlabel, elements, buffer, mac->m_buflen); if (error == 0) error = copyout(buffer, mac->m_string, strlen(buffer)+1); ==== //depot/projects/trustedbsd/mac/sys/sys/socketvar.h#33 (text+ko) ==== @@ -37,7 +37,6 @@ #ifndef _SYS_SOCKETVAR_H_ #define _SYS_SOCKETVAR_H_ -#include /* for struct label */ #include /* for TAILQ macros */ #include /* for struct selinfo */ @@ -125,8 +124,8 @@ void (*so_upcall)(struct socket *, void *, int); void *so_upcallarg; struct ucred *so_cred; /* user credentials */ - struct label so_label; /* MAC label for socket */ - struct label so_peerlabel; /* cached MAC label for socket peer */ + struct label *so_label; /* MAC label for socket */ + struct label *so_peerlabel; /* cached MAC label for socket peer */ /* NB: generation count must not be first; easiest to make it last. */ so_gen_t so_gencnt; /* generation count */ void *so_emuldata; /* private data for emulators */