From owner-p4-projects@FreeBSD.ORG Sun Nov 9 19:46:14 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id C9D9116A4D0; Sun, 9 Nov 2003 19:46:13 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73FEC16A4CE for ; Sun, 9 Nov 2003 19:46:13 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55DD643F85 for ; Sun, 9 Nov 2003 19:46:12 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hAA3kCXJ066159 for ; Sun, 9 Nov 2003 19:46:12 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hAA3kBAq066156 for perforce@freebsd.org; Sun, 9 Nov 2003 19:46:11 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 9 Nov 2003 19:46:11 -0800 (PST) Message-Id: <200311100346.hAA3kBAq066156@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 41858 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 03:46:14 -0000 http://perforce.freebsd.org/chv.cgi?CH=41858 Change 41858 by rwatson@rwatson_paprika on 2003/11/09 19:45:50 Integrate the TrustedBSD SEBSD branch with recent changes from the TrustedBSD MAC branch: - Use zone allocated temporary labels rather than stack-allocated storage for credentials, pipes, vnodes, during query/set/ transition/... - Simplify mac_execve_enter() API and interpreter code. - Remove old _init() and _destroy() APIs for caller-owned memory initialization/destruction. GC. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#8 integrate .. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#18 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#4 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_pipe.c#4 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_process.c#4 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#8 integrate .. //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#11 integrate Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#8 (text+ko) ==== @@ -168,9 +168,8 @@ int credential_changing; int textset; #ifdef MAC - struct label interplabel; /* label of the interpreted vnode */ - struct label execlabel; /* optional label argument */ - int will_transition, interplabelvalid = 0; + struct label *interplabel = NULL; + int will_transition; #endif imgp = &image_params; @@ -223,7 +222,7 @@ imgp->auxarg_size = 0; #ifdef MAC - error = mac_execve_enter(imgp, mac_p, &execlabel); + error = mac_execve_enter(imgp, mac_p); if (error) { mtx_lock(&Giant); goto exec_fail; @@ -340,9 +339,8 @@ /* free name buffer and old vnode */ NDFREE(ndp, NDF_ONLY_PNBUF); #ifdef MAC - mac_init_vnode_label(&interplabel); - mac_copy_vnode_label(ndp->ni_vp->v_label, &interplabel); - interplabelvalid = 1; + interplabel = mac_cred_label_alloc(); + mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel); #endif vput(ndp->ni_vp); vm_object_deallocate(imgp->object); @@ -456,7 +454,7 @@ attr.va_gid; #ifdef MAC will_transition = mac_execve_will_transition(oldcred, imgp->vp, - interplabelvalid ? &interplabel : NULL, imgp); + interplabel, imgp); credential_changing |= will_transition; #endif @@ -506,7 +504,7 @@ #ifdef MAC if (will_transition) { mac_execve_transition(oldcred, newcred, imgp->vp, - interplabelvalid ? &interplabel : NULL, imgp); + interplabel, imgp); } #endif /* @@ -658,8 +656,8 @@ /* sorry, no more process anymore. exit gracefully */ #ifdef MAC mac_execve_exit(imgp); - if (interplabelvalid) - mac_destroy_vnode_label(&interplabel); + if (interplabel != NULL) + mac_vnode_label_free(interplabel); #endif exit1(td, W_EXITCODE(0, SIGABRT)); /* NOT REACHED */ @@ -668,8 +666,8 @@ done2: #ifdef MAC mac_execve_exit(imgp); - if (interplabelvalid) - mac_destroy_vnode_label(&interplabel); + if (interplabel != NULL) + mac_vnode_label_free(interplabel); #endif mtx_unlock(&Giant); return (error); ==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#18 (text+ko) ==== @@ -643,7 +643,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; - struct label intlabel; + struct label *intlabel; struct proc *p; struct mac mac; char *buffer; @@ -664,13 +664,11 @@ return (error); } - mac_init_cred_label(&intlabel); - error = mac_internalize_cred_label(&intlabel, buffer); + intlabel = mac_cred_label_alloc(); + error = mac_internalize_cred_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_cred_label(&intlabel); - return (error); - } + if (error) + goto out; newcred = crget(); @@ -678,7 +676,7 @@ PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -687,7 +685,7 @@ setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, &intlabel); + mac_relabel_cred(newcred, intlabel); p->p_ucred = newcred; /* @@ -707,7 +705,7 @@ crfree(oldcred); out: - mac_destroy_cred_label(&intlabel); + mac_cred_label_free(intlabel); return (error); } @@ -718,7 +716,7 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { char *elements, *buffer; - struct label intlabel; + struct label *intlabel; struct file *fp; struct mac mac; struct vnode *vp; @@ -753,20 +751,20 @@ case DTYPE_VNODE: vp = fp->f_vnode; - mac_init_vnode_label(&intlabel); + intlabel = mac_vnode_label_alloc(); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(vp->v_label, &intlabel); + mac_copy_vnode_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = fp->f_data; - mac_init_pipe_label(&intlabel); + intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_label, &intlabel); + mac_copy_pipe_label(pipe->pipe_label, intlabel); PIPE_UNLOCK(pipe); break; default: @@ -780,14 +778,14 @@ case DTYPE_FIFO: case DTYPE_VNODE: if (error == 0) - error = mac_externalize_vnode_label(&intlabel, + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - error = mac_externalize_pipe_label(&intlabel, elements, + error = mac_externalize_pipe_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: panic("__mac_get_fd: corrupted label_type"); @@ -812,7 +810,7 @@ { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -839,13 +837,13 @@ if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -867,7 +865,7 @@ { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -894,12 +892,12 @@ if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -974,7 +972,7 @@ int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { - struct label intlabel; + struct label *intlabel; struct pipe *pipe; struct file *fp; struct mount *mp; @@ -1007,40 +1005,38 @@ switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); if (error) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vp = fp->f_vnode; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); - - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - mac_init_pipe_label(&intlabel); - error = mac_internalize_pipe_label(&intlabel, buffer); + intlabel = mac_pipe_label_alloc(); + error = mac_internalize_pipe_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, - &intlabel); + intlabel); PIPE_UNLOCK(pipe); } - - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: @@ -1062,7 +1058,7 @@ int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1084,13 +1080,11 @@ return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1100,15 +1094,16 @@ if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); +out: + mac_vnode_label_free(intlabel); return (error); } @@ -1118,7 +1113,7 @@ int __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1140,13 +1135,11 @@ return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1156,15 +1149,15 @@ if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#7 (text+ko) ==== @@ -103,11 +103,12 @@ * the namespaces, etc, should work for these, so for now, sort by * object type. */ +struct label *mac_pipe_label_alloc(void); +void mac_pipe_label_free(struct label *label); + int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -void mac_destroy_cred_label(struct label *label); int mac_externalize_cred_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_cred_label(struct label *label); int mac_internalize_cred_label(struct label *label, char *string); void mac_relabel_cred(struct ucred *cred, struct label *newlabel); @@ -116,10 +117,8 @@ int mac_internalize_mount_label(struct label *label, char *string); void mac_copy_pipe_label(struct label *src, struct label *dest); -void mac_destroy_pipe_label(struct label *label); int mac_externalize_pipe_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_pipe_label(struct label *label); int mac_internalize_pipe_label(struct label *label, char *string); int mac_externalize_vnode_label(struct label *label, char *elements, ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#4 (text+ko) ==== @@ -124,15 +124,6 @@ bpf_d->bd_label = mac_bpfdesc_label_alloc(); } -static void -mac_init_ifnet_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_ifnet_label, label); - MAC_DEBUG_COUNTER_INC(&nmacifnets); -} - static struct label * mac_ifnet_label_alloc(void) { @@ -229,24 +220,6 @@ return (0); } -static int -mac_init_socket_label(struct label *label, int flag) -{ - int error; - - mac_init_label(label); - - MAC_CHECK(init_socket_label, label, flag); - if (error) { - MAC_PERFORM(destroy_socket_label, label); - mac_destroy_label(label); - } else { - MAC_DEBUG_COUNTER_INC(&nmacsockets); - } - - return (error); -} - static struct label * mac_socket_label_alloc(int flag) { @@ -320,15 +293,6 @@ } static void -mac_destroy_ifnet_label(struct label *label) -{ - - MAC_PERFORM(destroy_ifnet_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacifnets); -} - -static void mac_ifnet_label_free(struct label *label) { @@ -372,15 +336,6 @@ } static void -mac_destroy_socket_label(struct label *label) -{ - - MAC_PERFORM(destroy_socket_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacsockets); -} - -static void mac_socket_label_free(struct label *label) { @@ -891,7 +846,7 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { - struct label intlabel; + struct label *intlabel; struct mac mac; char *buffer; int error; @@ -911,11 +866,11 @@ return (error); } - mac_init_ifnet_label(&intlabel); - error = mac_internalize_ifnet_label(&intlabel, buffer); + intlabel = mac_ifnet_label_alloc(); + error = mac_internalize_ifnet_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } @@ -926,20 +881,20 @@ */ error = suser_cred(cred, 0); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label, - &intlabel); + intlabel); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, &intlabel); + MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (0); } @@ -947,7 +902,7 @@ mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *mac) { - struct label intlabel; + struct label *intlabel; char *buffer; int error; @@ -962,23 +917,23 @@ return (error); } - mac_init_socket_label(&intlabel, M_WAITOK); - error = mac_internalize_socket_label(&intlabel, buffer); + intlabel = mac_socket_label_alloc(M_WAITOK); + error = mac_internalize_socket_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (error); } - mac_check_socket_relabel(cred, so, &intlabel); + mac_check_socket_relabel(cred, so, intlabel); if (error) { - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (error); } - mac_relabel_socket(cred, so, &intlabel); + mac_relabel_socket(cred, so, intlabel); - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (0); } ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_pipe.c#4 (text+ko) ==== @@ -61,16 +61,7 @@ &nmacpipes, 0, "number of pipes in use"); #endif -void -mac_init_pipe_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_pipe_label, label); - MAC_DEBUG_COUNTER_INC(&nmacpipes); -} - -static struct label * +struct label * mac_pipe_label_alloc(void) { struct label *label; @@ -90,15 +81,6 @@ } void -mac_destroy_pipe_label(struct label *label) -{ - - MAC_PERFORM(destroy_pipe_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacpipes); -} - -static void mac_pipe_label_free(struct label *label) { ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_process.c#4 (text+ko) ==== @@ -96,16 +96,7 @@ static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); -void -mac_init_cred_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_cred_label, label); - MAC_DEBUG_COUNTER_INC(&nmaccreds); -} - -static struct label * +struct label * mac_cred_label_alloc(void) { struct label *label; @@ -141,7 +132,7 @@ p->p_label = mac_proc_label_alloc(); } -static void +void mac_cred_label_free(struct label *label) { @@ -151,15 +142,6 @@ } void -mac_destroy_cred_label(struct label *label) -{ - - MAC_PERFORM(destroy_cred_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmaccreds); -} - -void mac_destroy_cred(struct ucred *cred) { @@ -247,9 +229,9 @@ } int -mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabelstorage) +mac_execve_enter(struct image_params *imgp, struct mac *mac_p) { + struct label *label; struct mac mac; char *buffer; int error; @@ -272,22 +254,24 @@ return (error); } - mac_init_cred_label(execlabelstorage); - error = mac_internalize_cred_label(execlabelstorage, buffer); + label = mac_cred_label_alloc(); + error = mac_internalize_cred_label(label, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_cred_label(execlabelstorage); + mac_cred_label_free(label); return (error); } - imgp->execlabel = execlabelstorage; + imgp->execlabel = label; return (0); } void mac_execve_exit(struct image_params *imgp) { - if (imgp->execlabel != NULL) - mac_destroy_cred_label(imgp->execlabel); + if (imgp->execlabel != NULL) { + mac_cred_label_free(imgp->execlabel); + imgp->execlabel = NULL; + } } /* ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#6 (text+ko) ==== @@ -156,16 +156,7 @@ mp->mnt_fslabel = mac_mount_fs_label_alloc(); } -void -mac_init_vnode_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_vnode_label, label); - MAC_DEBUG_COUNTER_INC(&nmacvnodes); -} - -static struct label * +struct label * mac_vnode_label_alloc(void) { struct label *label; @@ -237,15 +228,6 @@ } void -mac_destroy_vnode_label(struct label *label) -{ - - MAC_PERFORM(destroy_vnode_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacvnodes); -} - -static void mac_vnode_label_free(struct label *label) { ==== //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#8 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#11 (text+ko) ==== @@ -158,7 +158,6 @@ void mac_init_mount(struct mount *); void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); -void mac_init_vnode_label(struct label *); void mac_init_mount_label(struct label *); void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); void mac_copy_vnode_label(struct label *, struct label *label); @@ -180,9 +179,13 @@ void mac_destroy_mbuf_tag(struct m_tag *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); -void mac_destroy_vnode_label(struct label *); void mac_destroy_mount_label(struct label *); +struct label *mac_cred_label_alloc(void); +void mac_cred_label_free(struct label *label); +struct label *mac_vnode_label_alloc(void); +void mac_vnode_label_free(struct label *label); + /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. @@ -264,8 +267,7 @@ * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); -int mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabel); +int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *interpvnodelabel,