From 56c1541237b41af66a5bb4788de6d6002b471ffb Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sat, 5 Oct 2002 17:44:49 +0000 Subject: [PATCH] While the MAC API has supported the ability to handle M_NOWAIT passed to mbuf label initialization, that functionality was never merged to the main tree. Go ahead and merge that functionality now. Note that this requires policy modules to accept the case where the label element may be destroyed even if init has not succeeded on it (in the event that policy failed the init). This will shortly also apply to sockets. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/kern/kern_mac.c | 14 +++++++++++--- sys/security/mac/mac_framework.c | 14 +++++++++++--- sys/security/mac/mac_internal.h | 14 +++++++++++--- sys/security/mac/mac_net.c | 14 +++++++++++--- sys/security/mac/mac_pipe.c | 14 +++++++++++--- sys/security/mac/mac_process.c | 14 +++++++++++--- sys/security/mac/mac_syscalls.c | 14 +++++++++++--- sys/security/mac/mac_system.c | 14 +++++++++++--- sys/security/mac/mac_vfs.c | 14 +++++++++++--- 9 files changed, 99 insertions(+), 27 deletions(-) diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index dd5d2b35e9f..d21d5df9899 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -1101,15 +1101,23 @@ mac_init_ipq(struct ipq *ipq) int mac_init_mbuf(struct mbuf *m, int flag) { + int error; + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } + #ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif - return (0); + return (error); } void