src - FreeBSD source tree

diff options


context:
space:
mode:

author	Mateusz Guzik <mjg@FreeBSD.org>	2020-08-06 00:23:06 +0000
committer	Mateusz Guzik <mjg@FreeBSD.org>	2020-08-06 00:23:06 +0000
commit	4ec34a908bb2caf1967fd6e26e152e0bf2e4534e (patch)
tree	128d28aa14e4943a06a749075ffde72b3c24ab3a /sys/security
parent	0ef3c62577fc37389ea46c9fc5accfb7706b6c01 (diff)
download	src-4ec34a908bb2caf1967fd6e26e152e0bf2e4534e.tar.gz src-4ec34a908bb2caf1967fd6e26e152e0bf2e4534e.zip

mac: even up all entry points to the same scheme

- use a macro for checking whether the site is enabled - expand it to 0 if mac is not compiled in to begin with

Notes

Notes: svn path=/head/; revision=363935

Diffstat (limited to 'sys/security')

-rw-r--r--

sys/security/mac/mac_framework.h

1 files changed, 38 insertions, 7 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 70a7aad44757..fed574d36135 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h

@@ -264,11 +264,12 @@ extern bool mac_priv_check_fp_flag;

#else

#define mac_priv_check_fp_flag 0

#endif

+#define mac_priv_check_enabled() __predict_false(mac_priv_check_fp_flag)

static inline int

mac_priv_check(struct ucred *cred, int priv)

{

- if (__predict_false(mac_priv_check_fp_flag))

+ if (mac_priv_check_enabled())

return (mac_priv_check_impl(cred, priv));

return (0);

}

@@ -279,11 +280,12 @@ extern bool mac_priv_grant_fp_flag;

#else

#define mac_priv_grant_fp_flag 0

#endif

+#define mac_priv_grant_enabled() __predict_false(mac_priv_grant_fp_flag)

static inline int

mac_priv_grant(struct ucred *cred, int priv)

{

- if (__predict_false(mac_priv_grant_fp_flag))

+ if (mac_priv_grant_enabled())

return (mac_priv_grant_impl(cred, priv));

return (EPERM);

}

@@ -441,7 +443,11 @@ int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,

int mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp,

struct componentname *cnp);

+#ifdef MAC

extern bool mac_vnode_check_lookup_fp_flag;

+#else

+#define mac_vnode_check_lookup_fp_flag 0

+#endif

#define mac_vnode_check_lookup_enabled() __predict_false(mac_vnode_check_lookup_fp_flag)

static inline int

mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,

@@ -456,28 +462,38 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,

int mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot,

int flags);

+#ifdef MAC

extern bool mac_vnode_check_mmap_fp_flag;

+#else

+#define mac_vnode_check_mmap_fp_flag 0

+#endif

+#define mac_vnode_check_mmap_enabled() __predict_false(mac_vnode_check_mmap_fp_flag)

static inline int

mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,

int flags)

{

mac_vnode_assert_locked(vp, "mac_vnode_check_mmap");

- if (__predict_false(mac_vnode_check_mmap_fp_flag))

+ if (mac_vnode_check_mmap_enabled())

return (mac_vnode_check_mmap_impl(cred, vp, prot, flags));

return (0);

}

int mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp,

accmode_t accmode);

+#ifdef MAC

extern bool mac_vnode_check_open_fp_flag;

+#else

+#define mac_vnode_check_open_fp_flag 0

+#endif

+#define mac_vnode_check_open_enabled() __predict_false(mac_vnode_check_open_fp_flag)

static inline int

mac_vnode_check_open(struct ucred *cred, struct vnode *vp,

accmode_t accmode)

{

mac_vnode_assert_locked(vp, "mac_vnode_check_open");

- if (__predict_false(mac_vnode_check_open_fp_flag))

+ if (mac_vnode_check_open_enabled())

return (mac_vnode_check_open_impl(cred, vp, accmode));

return (0);

}

@@ -526,42 +542,57 @@ int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,

int mac_vnode_check_stat_impl(struct ucred *active_cred,

struct ucred *file_cred, struct vnode *vp);

+#ifdef MAC

extern bool mac_vnode_check_stat_fp_flag;

+#else

+#define mac_vnode_check_stat_fp_flag 0

+#endif

+#define mac_vnode_check_stat_enabled() __predict_false(mac_vnode_check_stat_fp_flag)

static inline int

mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,

struct vnode *vp)

{

mac_vnode_assert_locked(vp, "mac_vnode_check_stat");

- if (__predict_false(mac_vnode_check_stat_fp_flag))

+ if (mac_vnode_check_stat_enabled())

return (mac_vnode_check_stat_impl(active_cred, file_cred, vp));

return (0);

}

int mac_vnode_check_read_impl(struct ucred *active_cred,

struct ucred *file_cred, struct vnode *vp);

+#ifdef MAC

extern bool mac_vnode_check_read_fp_flag;

+#else

+#define mac_vnode_check_read_fp_flag 0

+#endif

+#define mac_vnode_check_read_enabled() __predict_false(mac_vnode_check_read_fp_flag)

static inline int

mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,

struct vnode *vp)

{

mac_vnode_assert_locked(vp, "mac_vnode_check_read");

- if (__predict_false(mac_vnode_check_read_fp_flag))

+ if (mac_vnode_check_read_enabled())

return (mac_vnode_check_read_impl(active_cred, file_cred, vp));

return (0);

}

int mac_vnode_check_write_impl(struct ucred *active_cred,

struct ucred *file_cred, struct vnode *vp);

+#ifdef MAC

extern bool mac_vnode_check_write_fp_flag;

+#else

+#define mac_vnode_check_write_fp_flag 0

+#endif

+#define mac_vnode_check_write_enabled() __predict_false(mac_vnode_check_write_fp_flag)

static inline int

mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,

struct vnode *vp)

{

mac_vnode_assert_locked(vp, "mac_vnode_check_write");

- if (__predict_false(mac_vnode_check_write_fp_flag))

+ if (mac_vnode_check_write_enabled())

return (mac_vnode_check_write_impl(active_cred, file_cred, vp));

return (0);

}