static int
mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
struct label *intlabel)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr");
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
if (ea_warn_once == 0) {
printf("Warning: transactions not supported "
"in EA write.\n");
ea_warn_once = 1;
}
} else if (error)
return (error);
MAC_POLICY_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label,
intlabel);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
return (error);
}
error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
if (error == EOPNOTSUPP)
error = 0;
return (error);
}
/*
* Functions implementing extended-attribute backed labels for file systems
* that support it.
*
* Where possible, we use EA transactions to make writes to multiple
* attributes across difference policies mutually atomic. We allow work to
* continue on file systems not supporting EA transactions, but generate a
* printf warning.
*/
int
mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr");
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
if (ea_warn_once == 0) {
printf("Warning: transactions not supported "
"in EA write.\n");
ea_warn_once = 1;
}
} else if (error)
return (error);
MAC_POLICY_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp,
dvp->v_label, vp, vp->v_label, cnp);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
return (error);
}
error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
if (error == EOPNOTSUPP)
error = 0;
return (error);
}
int
mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
MAC_POLICY_CHECK(system_check_swapoff, cred, vp, vp->v_label);
MAC_CHECK_PROBE2(system_check_swapoff, error, cred, vp);
return (error);
}
int
mac_kld_check_load(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
MAC_POLICY_CHECK(kld_check_load, cred, vp, vp->v_label);
MAC_CHECK_PROBE2(kld_check_load, error, cred, vp);
return (error);
}
int
mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr");
MAC_POLICY_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp,
vp->v_label);
return (error);
}
int
mac_system_check_auditctl(struct ucred *cred, struct vnode *vp)
{
int error;
struct label *vl;
ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl");
vl = (vp != NULL) ? vp->v_label : NULL;
MAC_POLICY_CHECK(system_check_auditctl, cred, vp, vl);
MAC_CHECK_PROBE2(system_check_auditctl, error, cred, vp);
return (error);
}
int
mac_system_check_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_system_check_acct");
}
MAC_POLICY_CHECK(system_check_acct, cred, vp,
vp != NULL ? vp->v_label : NULL);
MAC_CHECK_PROBE2(system_check_acct, error, cred, vp);
return (error);
}
int
mac_mbuf_tag_init(struct m_tag *tag, int flag)
{
struct label *label;
int error;
label = (struct label *) (tag + 1);
mac_init_label(label);
if (flag & M_WAITOK)
MAC_POLICY_CHECK(mbuf_init_label, label, flag);
else
MAC_POLICY_CHECK_NOSLEEP(mbuf_init_label, label, flag);
if (error) {
MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label);
mac_destroy_label(label);
}
return (error);
}
static struct label *
mac_ip6q_label_alloc(int flag)
{
struct label *label;
int error;
label = mac_labelzone_alloc(flag);
if (label == NULL)
return (NULL);
if (flag & M_WAITOK)
MAC_POLICY_CHECK(ip6q_init_label, label, flag);
else
MAC_POLICY_CHECK_NOSLEEP(ip6q_init_label, label, flag);
if (error) {
MAC_POLICY_PERFORM_NOSLEEP(ip6q_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
return (label);
}
