From owner-p4-projects@FreeBSD.ORG Tue Oct 3 14:11:38 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 7C6A716A595; Tue, 3 Oct 2006 14:11:38 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4991B16A4ED for ; Tue, 3 Oct 2006 14:11:38 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id A993E43D45 for ; Tue, 3 Oct 2006 14:11:36 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k93EBaDs012123 for ; Tue, 3 Oct 2006 14:11:36 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k93EBaTE012118 for perforce@freebsd.org; Tue, 3 Oct 2006 14:11:36 GMT (envelope-from millert@freebsd.org) Date: Tue, 3 Oct 2006 14:11:36 GMT Message-Id: <200610031411.k93EBaTE012118@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 107170 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 14:11:38 -0000 http://perforce.freebsd.org/chv.cgi?CH=107170 Change 107170 by millert@millert_macbook on 2006/10/03 14:11:07 Replace the reference count in struct mac_label_element with a list of policy handles that act as "listeners". To find what policies care about what label namespaces we just have to walk the list of listeners for that particular label namespace. This makes internalization and externalization simpler and faster. Rewrote label internalization and externalization to use the new listener interface. Uses functions instead of macros for the heavy lifting. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#10 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_internal.h#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_pipe.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_socket.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#10 (text+ko) ==== @@ -493,14 +493,12 @@ void mac_policy_addto_labellist(mac_policy_handle_t handle, int static_entry) { - struct mac_label_element **new_mles; - struct mac_label_element *mle; + struct mac_label_listener **new_mlls; + struct mac_label_element *mle, **new_mles; struct mac_label_element_list_t *list; struct mac_policy_conf *mpc; const char *name; - int found; - u_int idx; - int midx; + u_int idx, mle_free, mll_free; mpc = mac_get_mpc(handle); @@ -510,7 +508,6 @@ if (mpc->mpc_labelname_count == 0) return; - /* XXX - do we really need two lists? slight advantage when removing. */ if (static_entry) list = &mac_static_label_element_list; else @@ -528,7 +525,14 @@ MALLOC(new_mles[idx], struct mac_label_element *, sizeof(struct mac_label_element), M_MACTEMP, M_WAITOK); - midx = 0; + mle_free = 0; + MALLOC(new_mlls, struct mac_label_listener **, + sizeof(struct mac_label_listener *) * + mpc->mpc_labelname_count, M_MACTEMP, M_WAITOK); + for (idx = 0; idx < mpc->mpc_labelname_count; idx++) + MALLOC(new_mlls[idx], struct mac_label_listener *, + sizeof(struct mac_label_listener), M_MACTEMP, M_WAITOK); + mll_free = 0; if (mac_late) mac_policy_grab_exclusive(); @@ -536,42 +540,43 @@ name = mpc->mpc_labelnames[idx]; - /* Check both label element lists and add to the - * appropriate list only if not already on a list + /* + * Check both label element lists and add to the + * appropriate list only if not already on a list. */ - found = FALSE; - LIST_FOREACH(mle, &mac_static_label_element_list, - mle_list) { - if (strcmp(name, mle->mle_name) == 0) { - /* ref count unused for static list */ - found = TRUE; + LIST_FOREACH(mle, &mac_static_label_element_list, mle_list) { + if (strcmp(name, mle->mle_name) == 0) break; - } } - if (!found) - LIST_FOREACH(mle, - &mac_label_element_list, mle_list) { - if (strcmp(name, mle->mle_name) == 0) { - mle->mle_refs++; - found = TRUE; + if (mle == NULL) { + LIST_FOREACH(mle, &mac_label_element_list, mle_list) { + if (strcmp(name, mle->mle_name) == 0) break; - } } - if (!found) { - strcpy(new_mles[midx]->mle_name, name); - new_mles[midx]->mle_refs = 1; - LIST_INSERT_HEAD(list, new_mles[midx], - mle_list); - midx++; + } + if (mle == NULL) { + mle = new_mles[mle_free]; + strcpy(mle->mle_name, name); + LIST_INIT(&mle->mle_listeners); + LIST_INSERT_HEAD(list, mle, mle_list); + mle_free++; } + /* Add policy handler as a listener. */ + new_mlls[mll_free]->mll_handle = handle; + LIST_INSERT_HEAD(&mle->mle_listeners, new_mlls[mll_free], + mll_list); + mll_free++; } if (mac_late) mac_policy_release_exclusive(); - /* Free up any unused label elements */ - for (idx = midx; idx < mpc->mpc_labelname_count; idx++) + /* Free up any unused label elements and listeners */ + for (idx = mle_free; idx < mpc->mpc_labelname_count; idx++) FREE(new_mles[idx], M_MACTEMP); FREE(new_mles, M_MACTEMP); + for (idx = mll_free; idx < mpc->mpc_labelname_count; idx++) + FREE(new_mlls[idx], M_MACTEMP); + FREE(new_mlls, M_MACTEMP); } /* @@ -583,10 +588,9 @@ void mac_policy_removefrom_labellist(mac_policy_handle_t handle) { + struct mac_label_listener *mll; struct mac_label_element *mle; struct mac_policy_conf *mpc; - const char *name; - u_int idx; mpc = mac_get_mpc(handle); @@ -597,24 +601,28 @@ return; /* - * Check each label namespace managed by the policy and remove - * it from the non-static list only if no other policy is interested - * in that label namespace. + * Unregister policy as being interested in any label + * namespaces. If no other policy is listening, remove + * that label element from the list. Note that we only + * have to worry about the non-static list. */ + /* XXX - how could mac_late *not* be set here?!? */ if (mac_late) mac_policy_grab_exclusive(); - for (idx = 0; idx < mpc->mpc_labelname_count; idx++) { - name = mpc->mpc_labelnames[idx]; - LIST_FOREACH(mle, &mac_label_element_list, mle_list) { - if (strcmp(name, mle->mle_name) == 0) { - if (--mle->mle_refs == 0) { + LIST_FOREACH(mle, &mac_label_element_list, mle_list) { + LIST_FOREACH(mll, &mle->mle_listeners, mll_list) { + if (mll->mll_handle == handle) { + LIST_REMOVE(mll, mll_list); + FREE(mll, M_MACTEMP); + if (LIST_EMPTY(&mle->mle_listeners)) { LIST_REMOVE(mle, mle_list); FREE(mle, M_MACTEMP); } - break; + goto done; } } } +done: if (mac_late) mac_policy_release_exclusive(); } @@ -1017,6 +1025,167 @@ return (0); } +/* + * Get the external forms of labels from all policies, for a single + * label namespace or "*" for all namespaces. Returns ENOENT if no policy + * is registered for the namespace, unless the namespace begins with a '?'. + */ +static int +mac_externalize_label(size_t mpo_externalize_off, struct label *label, + const char *element, struct sbuf *sb) +{ + struct mac_policy_conf *mpc; + struct mac_label_listener *mll; + struct mac_label_element *mle; + struct mac_label_element_list_t *element_list; + int (*mpo_externalize)(struct label *, char *, struct sbuf *); + int all_labels = 0, ignorenotfound = 0, error = 0, busy = FALSE; + unsigned int count = 0; + + if (element[0] == '?') { + element++; + ignorenotfound = 1; + } else if (element[0] == '*' && element[1] == '\0') + all_labels = 1; + + element_list = &mac_static_label_element_list; +element_loop: + LIST_FOREACH(mle, element_list, mle_list) { + if (!all_labels && strcmp(mle->mle_name, element) != 0) + continue; + LIST_FOREACH(mll, &mle->mle_listeners, mll_list) { + mpc = mac_policy_list.entries[mll->mll_handle].mpc; + if (mpc == NULL) + panic("%s: trying to externalize a policy " + "handle that doesn't exist", __func__); + mpo_externalize = *(typeof(mpo_externalize) *) + ((char *)mpc->mpc_ops + mpo_externalize_off); + if (mpo_externalize == NULL) + continue; + error = sbuf_printf(sb, "%s/", mle->mle_name); + if (error) + goto done; + error = mpo_externalize(label, mle->mle_name, sb); + if (error) + goto done; + error = sbuf_putc(sb, ','); + if (error) + goto done; + count++; + } + } + /* If there are dynamic policies present, check their elements too. */ + if (!busy && mac_policy_list_conditional_busy() == 1) { + element_list = &mac_label_element_list; + busy = TRUE; + goto element_loop; + } +done: + if (busy) + mac_policy_list_unbusy(); + if (!error && count == 0) { + if (!all_labels && !ignorenotfound) + error = ENOENT; /* XXX: ENOLABEL? */ + } + return (error); +} + +/* + * Get the external forms of labels from all policies, for all label + * namespaces contained in a list. + */ +int +mac_externalize(size_t mpo_externalize_off, struct label *label, + char *elementlist, char *outbuf, size_t outbuflen) +{ + char *element; + struct sbuf sb; + int error = 0, len; + + sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN); + while ((element = strsep(&elementlist, ",")) != NULL) { + error = mac_externalize_label(mpo_externalize_off, label, + element, &sb); + if (error) + break; + } + if ((len = sbuf_len(&sb)) > 0) + sbuf_setpos(&sb, len - 1); /* trim trailing comma */ + sbuf_finish(&sb); + return (error); +} + +/* + * Have all policies set the internal form of a label, for a single + * label namespace. + */ +static int +mac_internalize_label(size_t mpo_internalize_off, struct label *label, + char *element_name, char *element_data) +{ + struct mac_policy_conf *mpc; + struct mac_label_listener *mll; + struct mac_label_element *mle; + struct mac_label_element_list_t *element_list; + int (*mpo_internalize)(struct label *, char *, char *); + int error = 0, busy = FALSE; + unsigned int count = 0; + + element_list = &mac_static_label_element_list; +element_loop: + LIST_FOREACH(mle, element_list, mle_list) { + if (strcmp(element_name, mle->mle_name) == 0) + continue; + LIST_FOREACH(mll, &mle->mle_listeners, mll_list) { + mpc = mac_policy_list.entries[mll->mll_handle].mpc; + if (mpc == NULL) + panic("%s: trying to internalize a policy " + "handle that doesn't exist", __func__); + mpo_internalize = *(typeof(mpo_internalize) *) + ((char *)mpc->mpc_ops + mpo_internalize_off); + if (mpo_internalize == NULL) + continue; + error = mpo_internalize(label, element_name, + element_data); + if (error) + goto done; + count++; + } + } + /* If there are dynamic policies present, check their elements too. */ + if (!busy && mac_policy_list_conditional_busy() == 1) { + element_list = &mac_label_element_list; + busy = TRUE; + goto element_loop; + } +done: + if (busy) + mac_policy_list_unbusy(); + if (!error && count == 0) + error = EINVAL; + return (error); +} + +int +mac_internalize(size_t mpo_internalize_off, struct label *label, + char *textlabels) +{ + char *element_name, *element_data; + int error = 0; + + while (!error && (element_name = strsep(&textlabels, ",")) != NULL) { + element_data = strchr(element_name, '/'); + if (element_data == NULL) { + error = EINVAL; + break; + } + *element_data++ = '\0'; + error = mac_internalize_label(mpo_internalize_off, label, + element_name, element_data); + } + return (error); +} + /* system calls */ int ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_internal.h#7 (text+ko) ==== @@ -91,12 +91,23 @@ */ extern void kmod_load_early(void); /* defined in libsa/kext.cpp */ +/* + * Policy that has registered with the framework for a specific + * label namespace name. + */ +struct mac_label_listener { + mac_policy_handle_t mll_handle; + LIST_ENTRY(mac_label_listener) mll_list; +}; + +LIST_HEAD(mac_label_listeners_t, mac_label_listener); + /* * Type of list used to manage label namespace names. */ struct mac_label_element { - int mle_refs; char mle_name[MAC_MAX_LABEL_ELEMENT_NAME]; + struct mac_label_listeners_t mle_listeners; LIST_ENTRY(mac_label_element) mle_list; }; @@ -302,222 +313,15 @@ } \ } while (0) -/* - * Get the external forms of labels from all policies, for a single - * label namespace. - */ -#define MAC_EXTERNALIZE2(obj, lname, label, element, sb, count) \ -do { \ - \ - struct mac_policy_conf *ME_mpc; \ - int ebusy = FALSE; \ - u_int idx, j, k, maxindex; \ - \ - count = 0; \ - maxindex = mac_policy_list.staticmax - 1; \ - for (j = 0, k = 0; j < 2; j++) { \ - for (; k <= maxindex; k++) { \ - ME_mpc = mac_policy_list.entries[k].mpc; \ - if (ME_mpc == NULL) \ - continue; \ - \ - if (ME_mpc->mpc_ops->mpo_## obj ##_externalize_## lname == NULL)\ - continue; \ - \ - if (ME_mpc->mpc_labelnames == NULL) \ - continue; \ - \ - for (idx = 0; idx < ME_mpc->mpc_labelname_count; idx++) { \ - if (strcmp(ME_mpc->mpc_labelnames[idx], element) != 0)\ - continue; \ - if (count == 0) { \ - error = sbuf_printf(&sb, "%s/", element);\ - if (error) \ - break; \ - } else { \ - error = sbuf_printf(&sb, ","); \ - if (error) \ - break; \ - } \ - error = ME_mpc->mpc_ops->mpo_## obj ##_externalize_## lname\ - (label, element, &sb); \ - if (error) \ - break; \ - count++; \ - } \ - if (error) \ - break; \ - } \ - if (ebusy || mac_policy_list_conditional_busy() == 0) \ - break; \ - maxindex = mac_policy_list.maxindex; \ - ebusy = TRUE; \ - } \ - if (ebusy) \ - mac_policy_list_unbusy(); \ -} while (0) +#define MAC_INTERNALIZE(obj, label, instring) \ + mac_internalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _internalize_label), label, instring) -#define MAC_EXTERNALIZE(obj, label, element, sb, count) \ - MAC_EXTERNALIZE2(obj, label, label, element, sb, count) +#define MAC_EXTERNALIZE2(obj, lname, label, elementlist, outbuf, outbuflen)\ + mac_externalize(offsetof(struct mac_policy_ops, mpo_ ## obj ## _externalize_ ## lname), label, elementlist, outbuf, outbuflen) -/* - * Get the external forms of labels from all policies, for all label - * namespaces contained in a list. - */ -#define MAC_EXTERNALIZE_LIST(obj, label, elementlist, outbuf, outbuflen)\ -do { \ - int ignorenotfound; \ - char *element, *sptr; \ - struct sbuf sb; \ - unsigned int count, total_count; \ - \ - error = 0; \ - total_count = 0; \ - sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN); \ - sptr = elementlist; \ - while ((element = strsep(&sptr, ",")) != NULL) { \ - if (element[0] == '?') { \ - element++; \ - ignorenotfound = 1; \ - } else \ - ignorenotfound = 0; \ - MAC_EXTERNALIZE(obj, label, element, sb, count); \ - if (error) \ - break; \ - if (count > 0) { \ - total_count += count; \ - error = sbuf_printf(&sb, ":"); \ - if (error) \ - break; \ - } else if (!ignorenotfound) { \ - error = ENOENT; /* XXX: ENOLABEL? */ \ - break; \ - } \ - } \ - /* Remove the last ':' if there was at least one match */ \ - if (total_count != 0) { \ - count = sbuf_len(&sb) - 1; \ - sbuf_setpos(&sb, count); \ - } \ - sbuf_finish(&sb); \ -} while (0) - -/* - * Get the external forms of MAC labels (normal or audit) from all - * policies, for all label namespaces contained in the master list of - * registered namespaces. - * This macro uses the mac_policy_list locking mechanisms to protect the - * non-static label element list. - */ -#define MAC_EXTERNALIZE_REGISTERED_LABELS2(obj, lname, label, outbuf, outbuflen, count) \ -do { \ - \ - struct mac_label_element *MERL_mle; \ - struct mac_label_element_list_t *element_list; \ - struct sbuf sb; \ - int busy = FALSE; \ - int i; \ - \ - sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN); \ - \ - element_list = &mac_static_label_element_list; \ - for (i = 0; i < 2; i++) { \ - LIST_FOREACH(MERL_mle, element_list, mle_list) { \ - MAC_EXTERNALIZE2(obj, lname, label, MERL_mle->mle_name, sb, count);\ - if (error) \ - break; \ - \ - if (LIST_NEXT(MERL_mle, mle_list) != NULL) { \ - error = sbuf_printf(&sb, ":"); \ - if (error) \ - break; \ - } \ - } \ - if (mac_policy_list_conditional_busy() == 0) \ - break; \ - element_list = &mac_label_element_list; \ - busy = TRUE; \ - } \ - if (busy) \ - mac_policy_list_unbusy(); \ - \ - sbuf_finish(&sb); \ - \ -} while (0) - -#define MAC_EXTERNALIZE_REGISTERED_LABELS(obj, label, outbuf, outbuflen, count) \ - MAC_EXTERNALIZE_REGISTERED_LABELS2(obj, label, label, outbuf, outbuflen, count) - -/* - * Have all policies set the internal form of a label, for a single - * label namespace. - */ -#define MAC_INTERNALIZE(obj, label, element, element_data, count) \ -do { \ - \ - struct mac_policy_conf *MI_mpc; \ - int busy = FALSE; \ - u_int idx, i, j, maxindex; \ - \ - count = 0; \ - maxindex = mac_policy_list.staticmax - 1; \ - for (i = 0, j = 0; i < 2; i++) { \ - for (; j <= maxindex; j++) { \ - MI_mpc = mac_policy_list.entries[j].mpc; \ - if (MI_mpc == NULL) \ - continue; \ - \ - if (MI_mpc->mpc_ops->mpo_## obj ##_internalize_label == NULL)\ - continue; \ - \ - if (MI_mpc->mpc_labelnames == NULL) \ - continue; \ - \ - for (idx = 0; idx < MI_mpc->mpc_labelname_count; idx++) { \ - if (strcmp(MI_mpc->mpc_labelnames[idx], element) != 0)\ - continue; \ - error = MI_mpc->mpc_ops->mpo_## obj ##_internalize_label\ - (label, element, element_data);\ - if (error) \ - break; \ - count++; \ - } \ - if (error) \ - break; \ - } \ - if (busy || mac_policy_list_conditional_busy() == 0) \ - break; \ - maxindex = mac_policy_list.maxindex; \ - busy = TRUE; \ - } \ - if (busy) \ - mac_policy_list_unbusy(); \ -} while (0) +#define MAC_EXTERNALIZE(obj, label, elementlist, outbuf, outbuflen) \ + MAC_EXTERNALIZE2(obj, label, label, elementlist, outbuf, outbuflen) -#define MAC_INTERNALIZE_LIST(obj, label, instring) do { \ - char *sptr, *element, *element_data; \ - int count; \ - \ - error = 0; \ - sptr = instring; \ - while ((element = strsep(&sptr, ",")) != NULL) { \ - element_data = element; \ - element = strsep(&element_data, "/"); \ - if (element_data == NULL) { \ - error = EINVAL; \ - break; \ - } \ - MAC_INTERNALIZE(obj, label, element, element_data, \ - count); \ - if (error) \ - break; \ - if (count == 0) { \ - error = EINVAL; \ - break; \ - } \ - } \ -} while (0) - /* * MAC_PERFORM performs the designated operation by walking the policy * module list and invoking that operation for each policy. @@ -604,4 +408,8 @@ void mac_policy_addto_labellist(const mac_policy_handle_t, int); void mac_policy_removefrom_labellist(const mac_policy_handle_t); +int mac_externalize(size_t mpo_externalize_off, struct label *label, + char *elementlist, char *outbuf, size_t outbuflen); +int mac_internalize(size_t mpo_internalize_off, struct label *label, + char *elementlist); #endif /* !_SECURITY_MAC_INTERNAL_H_ */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_pipe.c#4 (text+ko) ==== @@ -96,14 +96,9 @@ mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { - int error = 0; + int error; - if (elements[0] == '*') { - int count; - MAC_EXTERNALIZE_REGISTERED_LABELS(pipe, label, outbuf, - outbuflen, count); - } else - MAC_EXTERNALIZE_LIST(pipe, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen); return (error); } @@ -113,7 +108,7 @@ { int error; - MAC_INTERNALIZE_LIST(pipe, label, string); + error = MAC_INTERNALIZE(pipe, label, string); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#5 (text+ko) ==== @@ -104,7 +104,8 @@ { int error; - MAC_INTERNALIZE_LIST(cred, label, string); + /* XXX - should have mpo_port_internalize_label */ + error = MAC_INTERNALIZE(cred, label, string); return (error); } @@ -115,7 +116,8 @@ { int error; - MAC_EXTERNALIZE_LIST(cred, label, elements, outbuf, outbuflen); + /* XXX - should have mpo_port_externalize_label */ + error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#5 (text+ko) ==== @@ -99,13 +99,12 @@ mac_cred_get_audit_labels(struct proc *p, struct mac *mac) { struct ucred *cr; - int error = 0; - int count; + int error; cr = kauth_cred_proc_ref(p); - MAC_EXTERNALIZE_REGISTERED_LABELS2(cred, audit_label, cr->cr_label, - mac->m_string, mac->m_buflen, count); + error = MAC_EXTERNALIZE2(cred, audit_label, cr->cr_label, "*", + mac->m_string, mac->m_buflen); kauth_cred_rele(cr); return (error); @@ -141,12 +140,7 @@ { int error = 0; - if (elements[0] == '*') { - int count; - MAC_EXTERNALIZE_REGISTERED_LABELS(cred, label, outbuf, - outbuflen, count); - } else - MAC_EXTERNALIZE_LIST(cred, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); return (error); } @@ -156,7 +150,7 @@ { int error; - MAC_INTERNALIZE_LIST(cred, label, string); + error = MAC_INTERNALIZE(cred, label, string); return (error); } @@ -399,7 +393,7 @@ { int error; - MAC_EXTERNALIZE_LIST(lctx, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(lctx, label, elements, outbuf, outbuflen); return (error); } @@ -409,7 +403,7 @@ { int error; - MAC_INTERNALIZE_LIST(lctx, label, string); + error = MAC_INTERNALIZE(lctx, label, string); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_socket.c#4 (text+ko) ==== @@ -164,7 +164,7 @@ { int error; - MAC_EXTERNALIZE_LIST(socket, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(socket, label, elements, outbuf, outbuflen); return (error); } @@ -175,7 +175,7 @@ { int error; - MAC_EXTERNALIZE_LIST(socket_peer, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen); return (error); } @@ -185,7 +185,7 @@ { int error; - MAC_INTERNALIZE_LIST(socket, label, string); + error = MAC_INTERNALIZE(socket, label, string); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#4 (text+ko) ==== @@ -93,12 +93,7 @@ { int error = 0; - if (elements[0] == '*') { - int count; - MAC_EXTERNALIZE_REGISTERED_LABELS(task, label, outbuf, - outbuflen, count); - } else - MAC_EXTERNALIZE_LIST(task, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(task, label, elements, outbuf, outbuflen); return (error); } @@ -108,7 +103,7 @@ { int error; - MAC_INTERNALIZE_LIST(task, label, string); + error = MAC_INTERNALIZE(task, label, string); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#6 (text+ko) ==== @@ -1,4 +1,3 @@ - /*- * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin @@ -175,14 +174,12 @@ int mac_vnode_get_audit_labels(struct vnode *vp, struct mac *mac) { - int error = 0; - int count; + int error; - // It is assumed that any necessary vnode locking is done on entry - MAC_EXTERNALIZE_REGISTERED_LABELS2(vnode, audit_label, vp->v_label, - mac->m_string, mac->m_buflen, count); + /* It is assumed that any necessary vnode locking is done on entry */ + error = MAC_EXTERNALIZE2(vnode, audit_label, vp->v_label, "*", + mac->m_string, mac->m_buflen); - // error is set by MAC_EXTERNALIZE_REGISTERED_LABELS return (error); } @@ -190,16 +187,10 @@ mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen, int flags __unused) { - int error = 0; + int error; - if (elements[0] == '*') { - int count; - MAC_EXTERNALIZE_REGISTERED_LABELS(vnode, label, outbuf, - outbuflen, count); - } else - MAC_EXTERNALIZE_LIST(vnode, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen); - // error is set by MAC_EXTERNALIZE_* return (error); } @@ -208,7 +199,7 @@ { int error; - MAC_INTERNALIZE_LIST(vnode, label, string); + error = MAC_INTERNALIZE(vnode, label, string); return (error); } @@ -218,7 +209,7 @@ { int error; - MAC_INTERNALIZE_LIST(mount, label, string); + error = MAC_INTERNALIZE(mount, label, string); return (error); } @@ -229,14 +220,8 @@ { int error; - if (elements[0] == '*') { - int count; - MAC_EXTERNALIZE_REGISTERED_LABELS(mount, label, outbuf, - outbuflen, count); - } else - MAC_EXTERNALIZE_LIST(mount, label, elements, outbuf, outbuflen); + error = MAC_EXTERNALIZE(mount, label, elements, outbuf, outbuflen); - // error is set by MAC_EXTERNALIZE_* return (error); }