From f64a688dfda9d664c03ba67dab27dd6c7e10784d Mon Sep 17 00:00:00 2001 From: Brooks Davis Date: Mon, 13 Nov 2023 21:32:15 +0000 Subject: [PATCH] Remove gratuitous copyouts of unchanged struct mac. The get operations change the data pointed to by the structure, but do not update the contents of the struct. Mark the struct mac arguments of mac_[gs]etsockopt_*label() and mac_check_structmac_consistent() const to prevent this from changing in the future. Reviewed by: markj MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D14488 --- sys/kern/uipc_socket.c | 4 ++-- sys/security/mac/mac_framework.c | 3 +-- sys/security/mac/mac_framework.h | 6 +++--- sys/security/mac/mac_internal.h | 2 +- sys/security/mac/mac_socket.c | 8 +++++--- 5 files changed, 12 insertions(+), 11 deletions(-) diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 880dec89245..0ddcf0409cb 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -3442,7 +3442,7 @@ integer: so, &extmac); if (error) goto bad; - error = sooptcopyout(sopt, &extmac, sizeof extmac); + /* Don't copy out extmac, it is unchanged. */ #else error = EOPNOTSUPP; #endif @@ -3458,7 +3458,7 @@ integer: sopt->sopt_td->td_ucred, so, &extmac); if (error) goto bad; - error = sooptcopyout(sopt, &extmac, sizeof extmac); + /* Don't copy out extmac, it is unchanged. */ #else error = EOPNOTSUPP; #endif diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 8f1aa37d45b..682f05c6979 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -725,9 +725,8 @@ mac_error_select(int error1, int error2) } int -mac_check_structmac_consistent(struct mac *mac) +mac_check_structmac_consistent(const struct mac *mac) { - /* Require that labels have a non-zero length. */ if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN || mac->m_buflen <= sizeof("")) diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 644028bde47..c69b9cd6445 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -408,11 +408,11 @@ void mac_socket_destroy(struct socket *); int mac_socket_init(struct socket *, int); void mac_socket_newconn(struct socket *oldso, struct socket *newso); int mac_getsockopt_label(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); int mac_setsockopt_label(struct ucred *cred, struct socket *so, - struct mac *extmac); + const struct mac *extmac); void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); void mac_socketpeer_set_from_socket(struct socket *oldso, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index d1ee1af09c0..aa407598600 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -210,7 +210,7 @@ void mac_labelzone_init(void); void mac_init_label(struct label *label); void mac_destroy_label(struct label *label); -int mac_check_structmac_consistent(struct mac *mac); +int mac_check_structmac_consistent(const struct mac *mac); int mac_allocate_slot(void); /* diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index be136302465..e9f94404734 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -521,7 +521,8 @@ mac_socket_label_set(struct ucred *cred, struct socket *so, } int -mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) +mac_setsockopt_label(struct ucred *cred, struct socket *so, + const struct mac *mac) { struct label *intlabel; char *buffer; @@ -554,7 +555,8 @@ out: } int -mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) +mac_getsockopt_label(struct ucred *cred, struct socket *so, + const struct mac *mac) { char *buffer, *elements; struct label *intlabel; @@ -593,7 +595,7 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, - struct mac *mac) + const struct mac *mac) { char *elements, *buffer; struct label *intlabel;