Date: Tue, 18 Apr 2023 19:37:05 GMT From: "Stephen J. Kiernan" <stevek@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 8deb442cf7ab - main - mac: Honor order when registering MAC modules. Message-ID: <202304181937.33IJb5fl029520@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by stevek: URL: https://cgit.FreeBSD.org/src/commit/?id=8deb442cf7ab2b1097a9186c895017a737d84370 commit 8deb442cf7ab2b1097a9186c895017a737d84370 Author: Steve Kiernan <stevek@juniper.net> AuthorDate: 2023-04-02 22:17:17 +0000 Commit: Stephen J. Kiernan <stevek@FreeBSD.org> CommitDate: 2023-04-18 19:36:27 +0000 mac: Honor order when registering MAC modules. Ensure MAC modules are inserted in order that they are registered. Reviewed by: markj Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D39589 --- sys/security/mac/mac_framework.c | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 8fc67f6c1b85..5231783ab454 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -519,7 +519,8 @@ mac_policy_fastpath_unregister(struct mac_policy_conf *mpc) static int mac_policy_register(struct mac_policy_conf *mpc) { - struct mac_policy_conf *tmpc; + struct mac_policy_list_head *mpc_list; + struct mac_policy_conf *last_mpc, *tmpc; int error, slot, static_entry; error = 0; @@ -539,19 +540,14 @@ mac_policy_register(struct mac_policy_conf *mpc) static_entry = (!mac_late && !(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK)); - if (static_entry) { - LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { - if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { - error = EEXIST; - goto out; - } - } - } else { - LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { - if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { - error = EEXIST; - goto out; - } + mpc_list = (static_entry) ? &mac_static_policy_list : + &mac_policy_list; + last_mpc = NULL; + LIST_FOREACH(tmpc, mpc_list, mpc_list) { + last_mpc = tmpc; + if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { + error = EEXIST; + goto out; } } if (mpc->mpc_field_off != NULL) { @@ -567,16 +563,14 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; /* - * If we're loading a MAC module after the framework has initialized, - * it has to go into the dynamic list. If we're loading it before - * we've finished initializing, it can go into the static list with - * weaker locker requirements. + * Some modules may depend on the operations of its dependencies. + * Inserting modules in order of registration ensures operations + * that work on the module list retain dependency order. */ - if (static_entry) - LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list); + if (last_mpc == NULL) + LIST_INSERT_HEAD(mpc_list, mpc, mpc_list); else - LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); - + LIST_INSERT_AFTER(last_mpc, mpc, mpc_list); /* * Per-policy initialization. Currently, this takes place under the * exclusive lock, so policies must not sleep in their init method.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202304181937.33IJb5fl029520>