1
/*-
2
 * Copyright (c) 1999-2002, 2006, 2009, 2019 Robert N. M. Watson
3
 * Copyright (c) 2001 Ilmar S. Habibulin
4
 * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
5
 * Copyright (c) 2006 nCircle Network Security, Inc.
6
 * Copyright (c) 2006 SPARTA, Inc.
7
 * Copyright (c) 2009 Apple, Inc.
8
 * All rights reserved.
9
 *
10
 * This software was developed by Robert Watson and Ilmar Habibulin for the
11
 * TrustedBSD Project.
12
 *
13
 * This software was developed for the FreeBSD Project in part by Network
14
 * Associates Laboratories, the Security Research Division of Network
15
 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
16
 * as part of the DARPA CHATS research program.
17
 *
18
 * This software was developed by Robert N. M. Watson for the TrustedBSD
19
 * Project under contract to nCircle Network Security, Inc.
20
 *
21
 * This software was enhanced by SPARTA ISSO under SPAWAR contract
22
 * N66001-04-C-6019 ("SEFOS").
23
 *
24
 * This software was developed at the University of Cambridge Computer
25
 * Laboratory with support from a grant from Google, Inc. 
26
 *
27
 * Redistribution and use in source and binary forms, with or without
28
 * modification, are permitted provided that the following conditions
29
 * are met:
30
 * 1. Redistributions of source code must retain the above copyright
31
 *    notice, this list of conditions and the following disclaimer.
32
 * 2. Redistributions in binary form must reproduce the above copyright
33
 *    notice, this list of conditions and the following disclaimer in the
34
 *    documentation and/or other materials provided with the distribution.
35
 *
36
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
37
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
39
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
40
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
41
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
42
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
44
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
45
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
46
 * SUCH DAMAGE.
47
 */
48

49
#ifndef _SECURITY_MAC_MAC_INTERNAL_H_
50
#define	_SECURITY_MAC_MAC_INTERNAL_H_
51

52
#ifndef _KERNEL
53
#error "no user-serviceable parts inside"
54
#endif
55

56
#include <sys/lock.h>
57
#include <sys/rmlock.h>
58

59
/*
60
 * MAC Framework SDT DTrace probe namespace, macros for declaring entry
61
 * point probes, macros for invoking them.
62
 */
63
#ifdef SDT_PROVIDER_DECLARE
64
SDT_PROVIDER_DECLARE(mac);		/* MAC Framework-level events. */
65
SDT_PROVIDER_DECLARE(mac_framework);	/* Entry points to MAC. */
66

67
#define	MAC_CHECK_PROBE_DEFINE5(name, arg0, arg1, arg2, arg3, arg4)	\
68
	SDT_PROBE_DEFINE6(mac_framework, , name, mac__check__err,	\
69
	    "int", arg0, arg1, arg2, arg3, arg4);			\
70
	SDT_PROBE_DEFINE6(mac_framework, , name, mac__check__ok,	\
71
	    "int", arg0, arg1, arg2, arg3, arg4);
72

73
#define	MAC_CHECK_PROBE_DEFINE4(name, arg0, arg1, arg2, arg3)		\
74
	SDT_PROBE_DEFINE5(mac_framework, , name, mac__check__err,	\
75
	    "int", arg0, arg1, arg2, arg3);				\
76
	SDT_PROBE_DEFINE5(mac_framework, , name, mac__check__ok,	\
77
	    "int", arg0, arg1, arg2, arg3);
78

79
#define	MAC_CHECK_PROBE_DEFINE3(name, arg0, arg1, arg2)			\
80
	SDT_PROBE_DEFINE4(mac_framework, , name, mac__check__err,	\
81
	    "int", arg0, arg1, arg2);					\
82
	SDT_PROBE_DEFINE4(mac_framework, , name, mac__check__ok,	\
83
	    "int", arg0, arg1, arg2);
84

85
#define	MAC_CHECK_PROBE_DEFINE2(name, arg0, arg1)			\
86
	SDT_PROBE_DEFINE3(mac_framework, , name, mac__check__err,	\
87
	    "int", arg0, arg1);						\
88
	SDT_PROBE_DEFINE3(mac_framework, , name, mac__check__ok,	\
89
	    "int", arg0, arg1);
90

91
#define	MAC_CHECK_PROBE_DEFINE1(name, arg0)				\
92
	SDT_PROBE_DEFINE2(mac_framework, , name, mac__check__err,	\
93
	    "int", arg0);						\
94
	SDT_PROBE_DEFINE2(mac_framework, , name, mac__check__ok,	\
95
	    "int", arg0);
96

97
#define	MAC_CHECK_PROBE5(name, error, arg0, arg1, arg2, arg3, arg4) do { \
98
	if (SDT_PROBES_ENABLED()) {					\
99
		if (error) {						\
100
			SDT_PROBE6(mac_framework, , name, mac__check__err,\
101
			    error, arg0, arg1, arg2, arg3, arg4);	\
102
		} else {						\
103
			SDT_PROBE6(mac_framework, , name, mac__check__ok,\
104
			    0, arg0, arg1, arg2, arg3, arg4);		\
105
		}							\
106
	}								\
107
} while (0)
108

109
#define	MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, arg3)		\
110
	MAC_CHECK_PROBE5(name, error, arg0, arg1, arg2, arg3, 0)
111
#define	MAC_CHECK_PROBE3(name, error, arg0, arg1, arg2)			\
112
	MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, 0)
113
#define	MAC_CHECK_PROBE2(name, error, arg0, arg1)			\
114
	MAC_CHECK_PROBE3(name, error, arg0, arg1, 0)
115
#define	MAC_CHECK_PROBE1(name, error, arg0)				\
116
	MAC_CHECK_PROBE2(name, error, arg0, 0)
117
#endif
118

119
#define	MAC_GRANT_PROBE_DEFINE2(name, arg0, arg1)			\
120
	SDT_PROBE_DEFINE3(mac_framework, , name, mac__grant__err,	\
121
	    "int", arg0, arg1);						\
122
	SDT_PROBE_DEFINE3(mac_framework, , name, mac__grant__ok,	\
123
	    "int", arg0, arg1);
124

125
#define	MAC_GRANT_PROBE2(name, error, arg0, arg1)	do {		\
126
	if (SDT_PROBES_ENABLED()) {					\
127
		if (error) {						\
128
			SDT_PROBE3(mac_framework, , name, mac__grant__err,\
129
			    error, arg0, arg1);				\
130
		} else {						\
131
			SDT_PROBE3(mac_framework, , name, mac__grant__ok,\
132
			    error, arg0, arg1);				\
133
		}							\
134
	}								\
135
} while (0)
136

137
/*
138
 * MAC Framework global types and typedefs.
139
 */
140
LIST_HEAD(mac_policy_list_head, mac_policy_conf);
141
#ifdef MALLOC_DECLARE
142
MALLOC_DECLARE(M_MACTEMP);
143
#endif
144

145
/*
146
 * MAC labels -- in-kernel storage format.
147
 *
148
 * In general, struct label pointers are embedded in kernel data structures
149
 * representing objects that may be labeled (and protected).  Struct label is
150
 * opaque to both kernel services that invoke the MAC Framework and MAC
151
 * policy modules.  In particular, we do not wish to encode the layout of the
152
 * label structure into any ABIs.  Historically, the slot array contained
153
 * unions of {long, void} but now contains uintptr_t.
154
 */
155
#define	MAC_MAX_SLOTS	4
156
#define	MAC_FLAG_INITIALIZED	0x0000001	/* Is initialized for use. */
157
struct label {
158
	int		l_flags;
159
	intptr_t	l_perpolicy[MAC_MAX_SLOTS];
160
};
161

162
/*
163
 * Flags for mac_labeled, a bitmask of object types need across the union of
164
 * all policies currently registered with the MAC Framework, used to key
165
 * whether or not labels are allocated and constructors for the type are
166
 * invoked.
167
 */
168
#define	MPC_OBJECT_CRED			0x0000000000000001
169
#define	MPC_OBJECT_PROC			0x0000000000000002
170
#define	MPC_OBJECT_VNODE		0x0000000000000004
171
#define	MPC_OBJECT_INPCB		0x0000000000000008
172
#define	MPC_OBJECT_SOCKET		0x0000000000000010
173
#define	MPC_OBJECT_DEVFS		0x0000000000000020
174
#define	MPC_OBJECT_MBUF			0x0000000000000040
175
#define	MPC_OBJECT_IPQ			0x0000000000000080
176
#define	MPC_OBJECT_IFNET		0x0000000000000100
177
#define	MPC_OBJECT_BPFDESC		0x0000000000000200
178
#define	MPC_OBJECT_PIPE			0x0000000000000400
179
#define	MPC_OBJECT_MOUNT		0x0000000000000800
180
#define	MPC_OBJECT_POSIXSEM		0x0000000000001000
181
#define	MPC_OBJECT_POSIXSHM		0x0000000000002000
182
#define	MPC_OBJECT_SYSVMSG		0x0000000000004000
183
#define	MPC_OBJECT_SYSVMSQ		0x0000000000008000
184
#define	MPC_OBJECT_SYSVSEM		0x0000000000010000
185
#define	MPC_OBJECT_SYSVSHM		0x0000000000020000
186
#define	MPC_OBJECT_SYNCACHE		0x0000000000040000
187
#define	MPC_OBJECT_IP6Q			0x0000000000080000
188
#define	MPC_OBJECT_PRISON		0x0000000000100000
189

190
/*
191
 * MAC Framework global variables.
192
 */
193
extern struct mac_policy_list_head	mac_policy_list;
194
extern struct mac_policy_list_head	mac_static_policy_list;
195
extern u_int				mac_policy_count;
196
extern uint64_t				mac_labeled;
197
extern struct mtx			mac_ifnet_mtx;
198

199
/*
200
 * MAC Framework infrastructure functions.
201
 */
202
int	mac_error_select(int error1, int error2);
203

204
void	mac_policy_slock_nosleep(struct rm_priotracker *tracker);
205
void	mac_policy_slock_sleep(void);
206
void	mac_policy_sunlock_nosleep(struct rm_priotracker *tracker);
207
void	mac_policy_sunlock_sleep(void);
208

209
struct label	*mac_labelzone_alloc(int flags);
210
void		 mac_labelzone_free(struct label *label);
211
void		 mac_labelzone_init(void);
212

213
void	mac_init_label(struct label *label);
214
void	mac_destroy_label(struct label *label);
215
int	mac_check_structmac_consistent(const struct mac *mac);
216
int	mac_allocate_slot(void);
217

218
/*
219
 * Lock ifnets to protect labels only if ifnet labels are in use.
220
 */
221
#define MAC_IFNET_LOCK(ifp, locked)	do {				\
222
	if (mac_labeled & MPC_OBJECT_IFNET) {				\
223
		mtx_lock(&mac_ifnet_mtx);				\
224
		locked = 1;						\
225
	} else {							\
226
		locked = 0;						\
227
	}								\
228
} while (0)
229

230
#define MAC_IFNET_UNLOCK(ifp, locked)	do {				\
231
	if (locked) {							\
232
		mtx_unlock(&mac_ifnet_mtx);				\
233
		locked = 0;						\
234
	}								\
235
} while (0)
236

237
/*
238
 * MAC Framework per-object type functions.  It's not yet clear how the
239
 * namespaces, etc, should work for these, so for now, sort by object type.
240
 */
241
struct label	*mac_cred_label_alloc(void);
242
void		 mac_cred_label_free(struct label *label);
243
struct label	*mac_pipe_label_alloc(void);
244
void		 mac_pipe_label_free(struct label *label);
245
struct label	*mac_prison_label_alloc(int flags);
246
void		 mac_prison_label_free(struct label *label);
247
struct label	*mac_socket_label_alloc(int flag);
248
void		 mac_socket_label_free(struct label *label);
249
void		 mac_socketpeer_label_free(struct label *label);
250
struct label	*mac_vnode_label_alloc(void);
251
void		 mac_vnode_label_free(struct label *label);
252

253
int	mac_cred_check_relabel(struct ucred *cred, struct label *newlabel);
254
int	mac_cred_externalize_label(struct label *label, char *elements,
255
	    char *outbuf, size_t outbuflen);
256
int	mac_cred_internalize_label(struct label *label, char *string);
257
void	mac_cred_relabel(struct ucred *cred, struct label *newlabel);
258

259
struct label	*mac_mbuf_to_label(struct mbuf *m);
260

261
void	mac_pipe_copy_label(struct label *src, struct label *dest);
262
int	mac_pipe_externalize_label(struct label *label, char *elements,
263
	    char *outbuf, size_t outbuflen);
264
int	mac_pipe_internalize_label(struct label *label, char *string);
265

266
int	mac_prison_label_set(struct ucred *cred, struct prison *pr,
267
	    struct label *label);
268
int	mac_prison_check_relabel(struct ucred *cred, struct prison *pr,
269
	    struct label *newlabel);
270
void	mac_prison_copy_label(struct label *src, struct label *dest);
271
int	mac_prison_externalize_label(struct label *label, char *elements,
272
	    char *outbuf, size_t outbuflen);
273
int	mac_prison_internalize_label(struct label *label, char *string);
274
void	mac_prison_relabel(struct ucred *cred, struct prison *pr,
275
	    struct label *newlabel);
276

277
int	mac_socket_label_set(struct ucred *cred, struct socket *so,
278
	    struct label *label);
279
void	mac_socket_copy_label(struct label *src, struct label *dest);
280
int	mac_socket_externalize_label(struct label *label, char *elements,
281
	    char *outbuf, size_t outbuflen);
282
int	mac_socket_internalize_label(struct label *label, char *string);
283

284
int	mac_vnode_externalize_label(struct label *label, char *elements,
285
	    char *outbuf, size_t outbuflen);
286
int	mac_vnode_internalize_label(struct label *label, char *string);
287
void	mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
288
	    int *prot);
289
int	vn_setlabel(struct vnode *vp, struct label *intlabel,
290
	    struct ucred *cred);
291

292
/*
293
 * MAC Framework composition macros invoke all registered MAC policies for a
294
 * specific entry point.  They come in two forms: one which permits policies
295
 * to sleep/block, and another that does not.
296
 *
297
 * MAC_POLICY_CHECK performs the designated check by walking the policy
298
 * module list and checking with each as to how it feels about the request.
299
 * Note that it returns its value via 'error' in the scope of the caller.
300
 */
301
#define	MAC_POLICY_CHECK(check, args...) do {				\
302
	struct mac_policy_conf *mpc;					\
303
									\
304
	error = 0;							\
305
	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
306
		if (mpc->mpc_ops->mpo_ ## check != NULL)		\
307
			error = mac_error_select(			\
308
			    mpc->mpc_ops->mpo_ ## check (args),		\
309
			    error);					\
310
	}								\
311
	if (!LIST_EMPTY(&mac_policy_list)) {				\
312
		mac_policy_slock_sleep();				\
313
		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
314
			if (mpc->mpc_ops->mpo_ ## check != NULL)	\
315
				error = mac_error_select(		\
316
				    mpc->mpc_ops->mpo_ ## check (args),	\
317
				    error);				\
318
		}							\
319
		mac_policy_sunlock_sleep();				\
320
	}								\
321
} while (0)
322

323
#define	MAC_POLICY_CHECK_NOSLEEP(check, args...) do {			\
324
	struct mac_policy_conf *mpc;					\
325
									\
326
	error = 0;							\
327
	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
328
		if (mpc->mpc_ops->mpo_ ## check != NULL)		\
329
			error = mac_error_select(			\
330
			    mpc->mpc_ops->mpo_ ## check (args),		\
331
			    error);					\
332
	}								\
333
	if (!LIST_EMPTY(&mac_policy_list)) {				\
334
		struct rm_priotracker tracker;				\
335
									\
336
		mac_policy_slock_nosleep(&tracker);			\
337
		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
338
			if (mpc->mpc_ops->mpo_ ## check != NULL)	\
339
				error = mac_error_select(		\
340
				    mpc->mpc_ops->mpo_ ## check (args),	\
341
				    error);				\
342
		}							\
343
		mac_policy_sunlock_nosleep(&tracker);			\
344
	}								\
345
} while (0)
346

347
/*
348
 * MAC_POLICY_GRANT performs the designated check by walking the policy
349
 * module list and checking with each as to how it feels about the request.
350
 * Unlike MAC_POLICY_CHECK, it grants if any policies return '0', and
351
 * otherwise returns EPERM.  Note that it returns its value via 'error' in
352
 * the scope of the caller.
353
 */
354
#define	MAC_POLICY_GRANT_NOSLEEP(check, args...) do {			\
355
	struct mac_policy_conf *mpc;					\
356
									\
357
	error = EPERM;							\
358
	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
359
		if (mpc->mpc_ops->mpo_ ## check != NULL) {		\
360
			if (mpc->mpc_ops->mpo_ ## check(args) == 0)	\
361
				error = 0;				\
362
		}							\
363
	}								\
364
	if (!LIST_EMPTY(&mac_policy_list)) {				\
365
		struct rm_priotracker tracker;				\
366
									\
367
		mac_policy_slock_nosleep(&tracker);			\
368
		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
369
			if (mpc->mpc_ops->mpo_ ## check != NULL) {	\
370
				if (mpc->mpc_ops->mpo_ ## check (args)	\
371
				    == 0)				\
372
					error = 0;			\
373
			}						\
374
		}							\
375
		mac_policy_sunlock_nosleep(&tracker);			\
376
	}								\
377
} while (0)
378

379
/*
380
 * MAC_POLICY_BOOLEAN performs the designated boolean composition by walking
381
 * the module list, invoking each instance of the operation, and combining
382
 * the results using the passed C operator.  Note that it returns its value
383
 * via 'result' in the scope of the caller, which should be initialized by
384
 * the caller in a meaningful way to get a meaningful result.
385
 */
386
#define	MAC_POLICY_BOOLEAN(operation, composition, args...) do {	\
387
	struct mac_policy_conf *mpc;					\
388
									\
389
	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
390
		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
391
			result = result composition			\
392
			    mpc->mpc_ops->mpo_ ## operation (args);	\
393
	}								\
394
	if (!LIST_EMPTY(&mac_policy_list)) {				\
395
		mac_policy_slock_sleep();				\
396
		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
397
			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
398
				result = result composition		\
399
				    mpc->mpc_ops->mpo_ ## operation	\
400
				    (args);				\
401
		}							\
402
		mac_policy_sunlock_sleep();				\
403
	}								\
404
} while (0)
405

406
#define	MAC_POLICY_BOOLEAN_NOSLEEP(operation, composition, args...) do {\
407
	struct mac_policy_conf *mpc;					\
408
									\
409
	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
410
		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
411
			result = result composition			\
412
			    mpc->mpc_ops->mpo_ ## operation (args);	\
413
	}								\
414
	if (!LIST_EMPTY(&mac_policy_list)) {				\
415
		struct rm_priotracker tracker;				\
416
									\
417
		mac_policy_slock_nosleep(&tracker);			\
418
		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
419
			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
420
				result = result composition		\
421
				    mpc->mpc_ops->mpo_ ## operation	\
422
				    (args);				\
423
		}							\
424
		mac_policy_sunlock_nosleep(&tracker);			\
425
	}								\
426
} while (0)
427

428
/*
429
 * MAC_POLICY_EXTERNALIZE queries each policy to see if it can generate an
430
 * externalized version of a label element by name.  Policies declare whether
431
 * they have matched a particular element name, parsed from the string by
432
 * MAC_POLICY_EXTERNALIZE, and an error is returned if any element is matched
433
 * by no policy.
434
 */
435
#define	MAC_POLICY_EXTERNALIZE(type, label, elementlist, outbuf, 	\
436
    outbuflen) do {							\
437
	int claimed, first, ignorenotfound, savedlen;			\
438
	char *element_name, *element_temp;				\
439
	struct sbuf sb;							\
440
									\
441
	error = 0;							\
442
	first = 1;							\
443
	sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN);		\
444
	element_temp = elementlist;					\
445
	while ((element_name = strsep(&element_temp, ",")) != NULL) {	\
446
		if (element_name[0] == '?') {				\
447
			element_name++;					\
448
			ignorenotfound = 1;				\
449
		 } else							\
450
			ignorenotfound = 0;				\
451
		savedlen = sbuf_len(&sb);				\
452
		if (first)						\
453
			error = sbuf_printf(&sb, "%s/", element_name);	\
454
		else							\
455
			error = sbuf_printf(&sb, ",%s/", element_name);	\
456
		if (error == -1) {					\
457
			error = EINVAL;	/* XXX: E2BIG? */		\
458
			break;						\
459
		}							\
460
		claimed = 0;						\
461
		MAC_POLICY_CHECK(type ## _externalize_label, label,	\
462
		    element_name, &sb, &claimed);			\
463
		if (error)						\
464
			break;						\
465
		if (claimed == 0 && ignorenotfound) {			\
466
			/* Revert last label name. */			\
467
			sbuf_setpos(&sb, savedlen);			\
468
		} else if (claimed != 1) {				\
469
			error = EINVAL;	/* XXX: ENOLABEL? */		\
470
			break;						\
471
		} else {						\
472
			first = 0;					\
473
		}							\
474
	}								\
475
	sbuf_finish(&sb);						\
476
} while (0)
477

478
/*
479
 * MAC_POLICY_INTERNALIZE presents parsed element names and data to each
480
 * policy to see if any is willing to claim it and internalize the label
481
 * data.  If no policies match, an error is returned.
482
 */
483
#define	MAC_POLICY_INTERNALIZE(type, label, instring) do {		\
484
	char *element, *element_name, *element_data;			\
485
	int claimed;							\
486
									\
487
	error = 0;							\
488
	element = instring;						\
489
	while ((element_name = strsep(&element, ",")) != NULL) {	\
490
		element_data = element_name;				\
491
		element_name = strsep(&element_data, "/");		\
492
		if (element_data == NULL) {				\
493
			error = EINVAL;					\
494
			break;						\
495
		}							\
496
		claimed = 0;						\
497
		MAC_POLICY_CHECK(type ## _internalize_label, label,	\
498
		    element_name, element_data, &claimed);		\
499
		if (error)						\
500
			break;						\
501
		if (claimed != 1) {					\
502
			/* XXXMAC: Another error here? */		\
503
			error = EINVAL;					\
504
			break;						\
505
		}							\
506
	}								\
507
} while (0)
508

509
/*
510
 * MAC_POLICY_PERFORM performs the designated operation by walking the policy
511
 * module list and invoking that operation for each policy.
512
 */
513
#define	MAC_POLICY_PERFORM(operation, args...) do {			\
514
	struct mac_policy_conf *mpc;					\
515
									\
516
	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
517
		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
518
			mpc->mpc_ops->mpo_ ## operation (args);		\
519
	}								\
520
	if (!LIST_EMPTY(&mac_policy_list)) {				\
521
		mac_policy_slock_sleep();				\
522
		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
523
			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
524
				mpc->mpc_ops->mpo_ ## operation (args);	\
525
		}							\
526
		mac_policy_sunlock_sleep();				\
527
	}								\
528
} while (0)
529

530
#define	MAC_POLICY_PERFORM_NOSLEEP(operation, args...) do {		\
531
	struct mac_policy_conf *mpc;					\
532
									\
533
	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
534
		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
535
			mpc->mpc_ops->mpo_ ## operation (args);		\
536
	}								\
537
	if (!LIST_EMPTY(&mac_policy_list)) {				\
538
		struct rm_priotracker tracker;				\
539
									\
540
		mac_policy_slock_nosleep(&tracker);			\
541
		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
542
			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
543
				mpc->mpc_ops->mpo_ ## operation (args);	\
544
		}							\
545
		mac_policy_sunlock_nosleep(&tracker);			\
546
	}								\
547
} while (0)
548

549
#endif /* !_SECURITY_MAC_MAC_INTERNAL_H_ */
550

551