diff options
author | Mateusz Guzik <mjg@FreeBSD.org> | 2020-08-06 00:23:06 +0000 |
---|---|---|
committer | Mateusz Guzik <mjg@FreeBSD.org> | 2020-08-06 00:23:06 +0000 |
commit | 4ec34a908bb2caf1967fd6e26e152e0bf2e4534e (patch) | |
tree | 128d28aa14e4943a06a749075ffde72b3c24ab3a /sys/security | |
parent | 0ef3c62577fc37389ea46c9fc5accfb7706b6c01 (diff) | |
download | src-4ec34a908bb2caf1967fd6e26e152e0bf2e4534e.tar.gz src-4ec34a908bb2caf1967fd6e26e152e0bf2e4534e.zip |
mac: even up all entry points to the same scheme
- use a macro for checking whether the site is enabled
- expand it to 0 if mac is not compiled in to begin with
Notes
Notes:
svn path=/head/; revision=363935
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.h | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 70a7aad44757..fed574d36135 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -264,11 +264,12 @@ extern bool mac_priv_check_fp_flag; #else #define mac_priv_check_fp_flag 0 #endif +#define mac_priv_check_enabled() __predict_false(mac_priv_check_fp_flag) static inline int mac_priv_check(struct ucred *cred, int priv) { - if (__predict_false(mac_priv_check_fp_flag)) + if (mac_priv_check_enabled()) return (mac_priv_check_impl(cred, priv)); return (0); } @@ -279,11 +280,12 @@ extern bool mac_priv_grant_fp_flag; #else #define mac_priv_grant_fp_flag 0 #endif +#define mac_priv_grant_enabled() __predict_false(mac_priv_grant_fp_flag) static inline int mac_priv_grant(struct ucred *cred, int priv) { - if (__predict_false(mac_priv_grant_fp_flag)) + if (mac_priv_grant_enabled()) return (mac_priv_grant_impl(cred, priv)); return (EPERM); } @@ -441,7 +443,11 @@ int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); +#ifdef MAC extern bool mac_vnode_check_lookup_fp_flag; +#else +#define mac_vnode_check_lookup_fp_flag 0 +#endif #define mac_vnode_check_lookup_enabled() __predict_false(mac_vnode_check_lookup_fp_flag) static inline int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, @@ -456,28 +462,38 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, int mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot, int flags); +#ifdef MAC extern bool mac_vnode_check_mmap_fp_flag; +#else +#define mac_vnode_check_mmap_fp_flag 0 +#endif +#define mac_vnode_check_mmap_enabled() __predict_false(mac_vnode_check_mmap_fp_flag) static inline int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags) { mac_vnode_assert_locked(vp, "mac_vnode_check_mmap"); - if (__predict_false(mac_vnode_check_mmap_fp_flag)) + if (mac_vnode_check_mmap_enabled()) return (mac_vnode_check_mmap_impl(cred, vp, prot, flags)); return (0); } int mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode); +#ifdef MAC extern bool mac_vnode_check_open_fp_flag; +#else +#define mac_vnode_check_open_fp_flag 0 +#endif +#define mac_vnode_check_open_enabled() __predict_false(mac_vnode_check_open_fp_flag) static inline int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode) { mac_vnode_assert_locked(vp, "mac_vnode_check_open"); - if (__predict_false(mac_vnode_check_open_fp_flag)) + if (mac_vnode_check_open_enabled()) return (mac_vnode_check_open_impl(cred, vp, accmode)); return (0); } @@ -526,42 +542,57 @@ int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, int mac_vnode_check_stat_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); +#ifdef MAC extern bool mac_vnode_check_stat_fp_flag; +#else +#define mac_vnode_check_stat_fp_flag 0 +#endif +#define mac_vnode_check_stat_enabled() __predict_false(mac_vnode_check_stat_fp_flag) static inline int mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { mac_vnode_assert_locked(vp, "mac_vnode_check_stat"); - if (__predict_false(mac_vnode_check_stat_fp_flag)) + if (mac_vnode_check_stat_enabled()) return (mac_vnode_check_stat_impl(active_cred, file_cred, vp)); return (0); } int mac_vnode_check_read_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); +#ifdef MAC extern bool mac_vnode_check_read_fp_flag; +#else +#define mac_vnode_check_read_fp_flag 0 +#endif +#define mac_vnode_check_read_enabled() __predict_false(mac_vnode_check_read_fp_flag) static inline int mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { mac_vnode_assert_locked(vp, "mac_vnode_check_read"); - if (__predict_false(mac_vnode_check_read_fp_flag)) + if (mac_vnode_check_read_enabled()) return (mac_vnode_check_read_impl(active_cred, file_cred, vp)); return (0); } int mac_vnode_check_write_impl(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); +#ifdef MAC extern bool mac_vnode_check_write_fp_flag; +#else +#define mac_vnode_check_write_fp_flag 0 +#endif +#define mac_vnode_check_write_enabled() __predict_false(mac_vnode_check_write_fp_flag) static inline int mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { mac_vnode_assert_locked(vp, "mac_vnode_check_write"); - if (__predict_false(mac_vnode_check_write_fp_flag)) + if (mac_vnode_check_write_enabled()) return (mac_vnode_check_write_impl(active_cred, file_cred, vp)); return (0); } |