Slightly change the semantics of vnode labels for MAC: rather than

"refreshing" the label on the vnode before use, just get the label
right from inception.  For single-label file systems, set the label
in the generic VFS getnewvnode() code; for multi-label file systems,
leave the labeling up to the file system.  With UFS1/2, this means
reading the extended attribute during vfs_vget() as the inode is
pulled off disk, rather than hitting the extended attributes
frequently during operations later, improving performance.  This
also corrects sematics for shared vnode locks, which were not
previously present in the system.  This chances the cache
coherrency properties WRT out-of-band access to label data, but in
an acceptable form.  With UFS1, there is a small race condition
during automatic extended attribute start -- this is not present
with UFS2, and occurs because EAs aren't available at vnode
inception.  We'll introduce a work around for this shortly.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 43 insertions, 39 deletions

diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 85eb896dac73..913fba2f162d 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -46,6 +46,7 @@
 #include <sys/param.h>
 #include <sys/acl.h>
 #include <sys/conf.h>
+#include <sys/extattr.h>
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/mount.h>
@@ -136,13 +137,6 @@ mac_none_externalize_label(struct label *label, char *element_name,
 }
 
 static int
-mac_none_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
-{
-
-	return (0);
-}
-
-static int
 mac_none_internalize_label(struct label *label, char *element_name,
     char *element_data, int *claimed)
 {
@@ -155,6 +149,29 @@ mac_none_internalize_label(struct label *label, char *element_name,
  * a lot like file system objects.
  */
 static void
+mac_none_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+    struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
+    struct label *vlabel)
+{
+
+}
+
+static int
+mac_none_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
+    struct vnode *vp, struct label *vlabel)
+{
+
+	return (0);
+}
+
+static void
+mac_none_associate_vnode_singlelabel(struct mount *mp,
+    struct label *fslabel, struct vnode *vp, struct label *vlabel)
+{
+
+}
+
+static void
 mac_none_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
     struct label *label)
 {
@@ -182,12 +199,13 @@ mac_none_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
 
 }
 
-static void
-mac_none_create_vnode(struct ucred *cred, struct vnode *parent,
-    struct label *parentlabel, struct vnode *child,
-    struct label *childlabel)
+static int
+mac_none_create_vnode_extattr(struct ucred *cred, struct mount *mp,
+    struct label *fslabel, struct vnode *dvp, struct label *dlabel,
+    struct vnode *vp, struct label *vlabel, struct componentname *cnp)
 {
 
+	return (0);
 }
 
 static void
@@ -211,31 +229,17 @@ mac_none_relabel_vnode(struct ucred *cred, struct vnode *vp,
 
 }
 
-static void
-mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent,
-    struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
-{
-
-}
-
-static void
-mac_none_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
-    struct ucred *cred)
-{
-
-}
-
 static int
-mac_none_update_vnode_from_externalized(struct vnode *vp,
-    struct label *vnodelabel, struct oldmac *extmac)
+mac_none_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
+    struct label *vlabel, struct label *intlabel)
 {
 
 	return (0);
 }
 
 static void
-mac_none_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
-    struct mount *mp, struct label *fslabel)
+mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent,
+    struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
 {
 
 }
@@ -924,8 +928,6 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_externalize_label },
 	{ MAC_EXTERNALIZE_VNODE_LABEL,
 	    (macop_t)mac_none_externalize_label },
-	{ MAC_EXTERNALIZE_VNODE_OLDMAC,
-	    (macop_t)mac_none_externalize_vnode_oldmac },
 	{ MAC_INTERNALIZE_CRED_LABEL,
 	    (macop_t)mac_none_internalize_label },
 	{ MAC_INTERNALIZE_IFNET_LABEL,
@@ -936,6 +938,12 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_internalize_label },
 	{ MAC_INTERNALIZE_VNODE_LABEL,
 	    (macop_t)mac_none_internalize_label },
+	{ MAC_ASSOCIATE_VNODE_DEVFS,
+	    (macop_t)mac_none_associate_vnode_devfs },
+	{ MAC_ASSOCIATE_VNODE_EXTATTR,
+	    (macop_t)mac_none_associate_vnode_extattr },
+	{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
+	    (macop_t)mac_none_associate_vnode_singlelabel },
 	{ MAC_CREATE_DEVFS_DEVICE,
 	    (macop_t)mac_none_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
@@ -944,22 +952,18 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	    (macop_t)mac_none_create_devfs_symlink },
 	{ MAC_CREATE_DEVFS_VNODE,
 	    (macop_t)mac_none_create_devfs_vnode },
-	{ MAC_CREATE_VNODE,
-	    (macop_t)mac_none_create_vnode },
+	{ MAC_CREATE_VNODE_EXTATTR,
+	    (macop_t)mac_none_create_vnode_extattr },
 	{ MAC_CREATE_MOUNT,
 	    (macop_t)mac_none_create_mount },
 	{ MAC_CREATE_ROOT_MOUNT,
 	    (macop_t)mac_none_create_root_mount },
 	{ MAC_RELABEL_VNODE,
 	    (macop_t)mac_none_relabel_vnode },
+	{  MAC_SETLABEL_VNODE_EXTATTR,
+	    (macop_t)mac_none_setlabel_vnode_extattr },
 	{ MAC_UPDATE_DEVFSDIRENT,
 	    (macop_t)mac_none_update_devfsdirent },
-	{ MAC_UPDATE_PROCFSVNODE,
-	    (macop_t)mac_none_update_procfsvnode },
-	{ MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
-	    (macop_t)mac_none_update_vnode_from_externalized },
-	{ MAC_UPDATE_VNODE_FROM_MOUNT,
-	    (macop_t)mac_none_update_vnode_from_mount },
 	{ MAC_CREATE_MBUF_FROM_SOCKET,
 	    (macop_t)mac_none_create_mbuf_from_socket },
 	{ MAC_CREATE_PIPE,