17bc82500SRobert Watson /*-
22087a58cSRobert Watson * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
37bc82500SRobert Watson * Copyright (c) 2001 Ilmar S. Habibulin
469f832b4SRobert Watson * Copyright (c) 2001-2005 McAfee, Inc.
5eb542415SRobert Watson * Copyright (c) 2005-2006 SPARTA, Inc.
66356dba0SRobert Watson * Copyright (c) 2008 Apple Inc.
77bc82500SRobert Watson * All rights reserved.
87bc82500SRobert Watson *
97bc82500SRobert Watson * This software was developed by Robert Watson and Ilmar Habibulin for the
107bc82500SRobert Watson * TrustedBSD Project.
117bc82500SRobert Watson *
1269f832b4SRobert Watson * This software was developed for the FreeBSD Project in part by McAfee
1369f832b4SRobert Watson * Research, the Security Research Division of McAfee, Inc. under
1469f832b4SRobert Watson * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
1569f832b4SRobert Watson * CHATS research program.
167bc82500SRobert Watson *
17d26dd2d9SRobert Watson * This software was enhanced by SPARTA ISSO under SPAWAR contract
18d26dd2d9SRobert Watson * N66001-04-C-6019 ("SEFOS").
19d26dd2d9SRobert Watson *
202087a58cSRobert Watson * This software was developed at the University of Cambridge Computer
212087a58cSRobert Watson * Laboratory with support from a grant from Google, Inc.
222087a58cSRobert Watson *
237bc82500SRobert Watson * Redistribution and use in source and binary forms, with or without
247bc82500SRobert Watson * modification, are permitted provided that the following conditions
257bc82500SRobert Watson * are met:
267bc82500SRobert Watson * 1. Redistributions of source code must retain the above copyright
277bc82500SRobert Watson * notice, this list of conditions and the following disclaimer.
287bc82500SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright
297bc82500SRobert Watson * notice, this list of conditions and the following disclaimer in the
307bc82500SRobert Watson * documentation and/or other materials provided with the distribution.
317bc82500SRobert Watson *
327bc82500SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
337bc82500SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
347bc82500SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
357bc82500SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
367bc82500SRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
377bc82500SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
387bc82500SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
397bc82500SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
407bc82500SRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
417bc82500SRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
427bc82500SRobert Watson * SUCH DAMAGE.
437bc82500SRobert Watson */
44677b542eSDavid E. O'Brien
45677b542eSDavid E. O'Brien #include <sys/cdefs.h>
467bc82500SRobert Watson #include "opt_mac.h"
47f9d0d524SRobert Watson
487bc82500SRobert Watson #include <sys/param.h>
49a96acd1aSRobert Watson #include <sys/condvar.h>
5095fab37eSRobert Watson #include <sys/extattr.h>
51670cb89bSRobert Watson #include <sys/imgact.h>
5295fab37eSRobert Watson #include <sys/kernel.h>
5395fab37eSRobert Watson #include <sys/lock.h>
54b656366bSBruce Evans #include <sys/malloc.h>
5595fab37eSRobert Watson #include <sys/mutex.h>
5695fab37eSRobert Watson #include <sys/proc.h>
57f51e5803SRobert Watson #include <sys/sbuf.h>
5895fab37eSRobert Watson #include <sys/systm.h>
5995fab37eSRobert Watson #include <sys/vnode.h>
6095fab37eSRobert Watson #include <sys/mount.h>
6195fab37eSRobert Watson #include <sys/file.h>
6295fab37eSRobert Watson #include <sys/namei.h>
632087a58cSRobert Watson #include <sys/sdt.h>
6495fab37eSRobert Watson #include <sys/sysctl.h>
6595fab37eSRobert Watson
6695fab37eSRobert Watson #include <vm/vm.h>
6795fab37eSRobert Watson #include <vm/pmap.h>
6895fab37eSRobert Watson #include <vm/vm_map.h>
6995fab37eSRobert Watson #include <vm/vm_object.h>
7095fab37eSRobert Watson
7195fab37eSRobert Watson #include <fs/devfs/devfs.h>
7295fab37eSRobert Watson
73aed55708SRobert Watson #include <security/mac/mac_framework.h>
746cc24dcbSRobert Watson #include <security/mac/mac_internal.h>
750efd6615SRobert Watson #include <security/mac/mac_policy.h>
7695fab37eSRobert Watson
77763bbd2fSRobert Watson /*
7819d0ec03SRobert Watson * Warn about EA transactions only the first time they happen. No locking on
7919d0ec03SRobert Watson * this variable.
80763bbd2fSRobert Watson */
81763bbd2fSRobert Watson static int ea_warn_once = 0;
82763bbd2fSRobert Watson
8330d239bcSRobert Watson static int mac_vnode_setlabel_extattr(struct ucred *cred,
84763bbd2fSRobert Watson struct vnode *vp, struct label *intlabel);
85763bbd2fSRobert Watson
86eca8a663SRobert Watson static struct label *
mac_devfs_label_alloc(void)8730575990SRobert Watson mac_devfs_label_alloc(void)
88eca8a663SRobert Watson {
89eca8a663SRobert Watson struct label *label;
90eca8a663SRobert Watson
91eca8a663SRobert Watson label = mac_labelzone_alloc(M_WAITOK);
92fa765671SRobert Watson MAC_POLICY_PERFORM(devfs_init_label, label);
93eca8a663SRobert Watson return (label);
94eca8a663SRobert Watson }
95eca8a663SRobert Watson
96f7b951a8SRobert Watson void
mac_devfs_init(struct devfs_dirent * de)9730d239bcSRobert Watson mac_devfs_init(struct devfs_dirent *de)
9808bcdc58SRobert Watson {
9908bcdc58SRobert Watson
1006356dba0SRobert Watson if (mac_labeled & MPC_OBJECT_DEVFS)
10130575990SRobert Watson de->de_label = mac_devfs_label_alloc();
1026356dba0SRobert Watson else
1036356dba0SRobert Watson de->de_label = NULL;
104eca8a663SRobert Watson }
105eca8a663SRobert Watson
106eca8a663SRobert Watson static struct label *
mac_mount_label_alloc(void)107eca8a663SRobert Watson mac_mount_label_alloc(void)
108eca8a663SRobert Watson {
109eca8a663SRobert Watson struct label *label;
110eca8a663SRobert Watson
111eca8a663SRobert Watson label = mac_labelzone_alloc(M_WAITOK);
112fa765671SRobert Watson MAC_POLICY_PERFORM(mount_init_label, label);
113eca8a663SRobert Watson return (label);
114eca8a663SRobert Watson }
115eca8a663SRobert Watson
11608bcdc58SRobert Watson void
mac_mount_init(struct mount * mp)11730d239bcSRobert Watson mac_mount_init(struct mount *mp)
11808bcdc58SRobert Watson {
11908bcdc58SRobert Watson
1206356dba0SRobert Watson if (mac_labeled & MPC_OBJECT_MOUNT)
121eb542415SRobert Watson mp->mnt_label = mac_mount_label_alloc();
1226356dba0SRobert Watson else
1236356dba0SRobert Watson mp->mnt_label = NULL;
12408bcdc58SRobert Watson }
12508bcdc58SRobert Watson
126eca8a663SRobert Watson struct label *
mac_vnode_label_alloc(void)127eca8a663SRobert Watson mac_vnode_label_alloc(void)
12887807196SRobert Watson {
129eca8a663SRobert Watson struct label *label;
13087807196SRobert Watson
131eca8a663SRobert Watson label = mac_labelzone_alloc(M_WAITOK);
132fa765671SRobert Watson MAC_POLICY_PERFORM(vnode_init_label, label);
133eca8a663SRobert Watson return (label);
13408bcdc58SRobert Watson }
13508bcdc58SRobert Watson
13608bcdc58SRobert Watson void
mac_vnode_init(struct vnode * vp)13730d239bcSRobert Watson mac_vnode_init(struct vnode *vp)
13808bcdc58SRobert Watson {
13908bcdc58SRobert Watson
1406356dba0SRobert Watson if (mac_labeled & MPC_OBJECT_VNODE)
141eca8a663SRobert Watson vp->v_label = mac_vnode_label_alloc();
1426356dba0SRobert Watson else
1436356dba0SRobert Watson vp->v_label = NULL;
144eca8a663SRobert Watson }
145eca8a663SRobert Watson
146eca8a663SRobert Watson static void
mac_devfs_label_free(struct label * label)14730575990SRobert Watson mac_devfs_label_free(struct label *label)
148eca8a663SRobert Watson {
149eca8a663SRobert Watson
150fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(devfs_destroy_label, label);
151eca8a663SRobert Watson mac_labelzone_free(label);
15208bcdc58SRobert Watson }
15308bcdc58SRobert Watson
15408bcdc58SRobert Watson void
mac_devfs_destroy(struct devfs_dirent * de)15530d239bcSRobert Watson mac_devfs_destroy(struct devfs_dirent *de)
15687807196SRobert Watson {
15787807196SRobert Watson
1586356dba0SRobert Watson if (de->de_label != NULL) {
15930575990SRobert Watson mac_devfs_label_free(de->de_label);
160eca8a663SRobert Watson de->de_label = NULL;
161eca8a663SRobert Watson }
1626356dba0SRobert Watson }
163eca8a663SRobert Watson
164eca8a663SRobert Watson static void
mac_mount_label_free(struct label * label)165eca8a663SRobert Watson mac_mount_label_free(struct label *label)
166eca8a663SRobert Watson {
167eca8a663SRobert Watson
168fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(mount_destroy_label, label);
169eca8a663SRobert Watson mac_labelzone_free(label);
170eca8a663SRobert Watson }
171eca8a663SRobert Watson
17208bcdc58SRobert Watson void
mac_mount_destroy(struct mount * mp)17330d239bcSRobert Watson mac_mount_destroy(struct mount *mp)
17408bcdc58SRobert Watson {
17508bcdc58SRobert Watson
1766356dba0SRobert Watson if (mp->mnt_label != NULL) {
177eb542415SRobert Watson mac_mount_label_free(mp->mnt_label);
178eb542415SRobert Watson mp->mnt_label = NULL;
17908bcdc58SRobert Watson }
1806356dba0SRobert Watson }
18108bcdc58SRobert Watson
182763bbd2fSRobert Watson void
mac_vnode_label_free(struct label * label)183eca8a663SRobert Watson mac_vnode_label_free(struct label *label)
18408bcdc58SRobert Watson {
18508bcdc58SRobert Watson
186fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(vnode_destroy_label, label);
187eca8a663SRobert Watson mac_labelzone_free(label);
18808bcdc58SRobert Watson }
18908bcdc58SRobert Watson
19008bcdc58SRobert Watson void
mac_vnode_destroy(struct vnode * vp)19130d239bcSRobert Watson mac_vnode_destroy(struct vnode *vp)
19208bcdc58SRobert Watson {
19308bcdc58SRobert Watson
1946356dba0SRobert Watson if (vp->v_label != NULL) {
195eca8a663SRobert Watson mac_vnode_label_free(vp->v_label);
196eca8a663SRobert Watson vp->v_label = NULL;
197f7b951a8SRobert Watson }
1986356dba0SRobert Watson }
199f7b951a8SRobert Watson
200225bff6fSRobert Watson void
mac_vnode_copy_label(struct label * src,struct label * dest)20130d239bcSRobert Watson mac_vnode_copy_label(struct label *src, struct label *dest)
202f7b951a8SRobert Watson {
203f7b951a8SRobert Watson
204fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(vnode_copy_label, src, dest);
20508bcdc58SRobert Watson }
20608bcdc58SRobert Watson
2076cc24dcbSRobert Watson int
mac_vnode_externalize_label(struct label * label,char * elements,char * outbuf,size_t outbuflen)20830d239bcSRobert Watson mac_vnode_externalize_label(struct label *label, char *elements,
20983b7b0edSRobert Watson char *outbuf, size_t outbuflen)
210f7b951a8SRobert Watson {
211f7b951a8SRobert Watson int error;
212f7b951a8SRobert Watson
213fa765671SRobert Watson MAC_POLICY_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen);
214f7b951a8SRobert Watson
215f7b951a8SRobert Watson return (error);
216f7b951a8SRobert Watson }
217f7b951a8SRobert Watson
2186cc24dcbSRobert Watson int
mac_vnode_internalize_label(struct label * label,char * string)21930d239bcSRobert Watson mac_vnode_internalize_label(struct label *label, char *string)
220f7b951a8SRobert Watson {
221f7b951a8SRobert Watson int error;
222f7b951a8SRobert Watson
223fa765671SRobert Watson MAC_POLICY_INTERNALIZE(vnode, label, string);
22469bbb5b1SRobert Watson
22569bbb5b1SRobert Watson return (error);
22669bbb5b1SRobert Watson }
22769bbb5b1SRobert Watson
22895fab37eSRobert Watson void
mac_devfs_update(struct mount * mp,struct devfs_dirent * de,struct vnode * vp)22930d239bcSRobert Watson mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
23095fab37eSRobert Watson {
23195fab37eSRobert Watson
232fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(devfs_update, mp, de, de->de_label, vp,
23340202729SRobert Watson vp->v_label);
23495fab37eSRobert Watson }
23595fab37eSRobert Watson
23695fab37eSRobert Watson void
mac_devfs_vnode_associate(struct mount * mp,struct devfs_dirent * de,struct vnode * vp)23730d239bcSRobert Watson mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
238763bbd2fSRobert Watson struct vnode *vp)
23995fab37eSRobert Watson {
24095fab37eSRobert Watson
241fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(devfs_vnode_associate, mp, mp->mnt_label,
242fa765671SRobert Watson de, de->de_label, vp, vp->v_label);
24395fab37eSRobert Watson }
24495fab37eSRobert Watson
245763bbd2fSRobert Watson int
mac_vnode_associate_extattr(struct mount * mp,struct vnode * vp)24630d239bcSRobert Watson mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp)
24795fab37eSRobert Watson {
24895fab37eSRobert Watson int error;
24995fab37eSRobert Watson
25030d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr");
251763bbd2fSRobert Watson
252fa765671SRobert Watson MAC_POLICY_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp,
253eca8a663SRobert Watson vp->v_label);
25495fab37eSRobert Watson
25595fab37eSRobert Watson return (error);
25695fab37eSRobert Watson }
25795fab37eSRobert Watson
25895fab37eSRobert Watson void
mac_vnode_associate_singlelabel(struct mount * mp,struct vnode * vp)25930d239bcSRobert Watson mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp)
26095fab37eSRobert Watson {
26195fab37eSRobert Watson
262fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(vnode_associate_singlelabel, mp,
263fa765671SRobert Watson mp->mnt_label, vp, vp->v_label);
26495fab37eSRobert Watson }
26595fab37eSRobert Watson
266bd8a9c45SRobert Watson /*
267bd8a9c45SRobert Watson * Functions implementing extended-attribute backed labels for file systems
268bd8a9c45SRobert Watson * that support it.
269bd8a9c45SRobert Watson *
270bd8a9c45SRobert Watson * Where possible, we use EA transactions to make writes to multiple
271bd8a9c45SRobert Watson * attributes across difference policies mutually atomic. We allow work to
272bd8a9c45SRobert Watson * continue on file systems not supporting EA transactions, but generate a
273bd8a9c45SRobert Watson * printf warning.
274bd8a9c45SRobert Watson */
27595fab37eSRobert Watson int
mac_vnode_create_extattr(struct ucred * cred,struct mount * mp,struct vnode * dvp,struct vnode * vp,struct componentname * cnp)27630d239bcSRobert Watson mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
277763bbd2fSRobert Watson struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
27895fab37eSRobert Watson {
279763bbd2fSRobert Watson int error;
28095fab37eSRobert Watson
28130d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr");
28230d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr");
28395fab37eSRobert Watson
284763bbd2fSRobert Watson error = VOP_OPENEXTATTR(vp, cred, curthread);
285763bbd2fSRobert Watson if (error == EOPNOTSUPP) {
286763bbd2fSRobert Watson if (ea_warn_once == 0) {
287763bbd2fSRobert Watson printf("Warning: transactions not supported "
288763bbd2fSRobert Watson "in EA write.\n");
289763bbd2fSRobert Watson ea_warn_once = 1;
290763bbd2fSRobert Watson }
291763bbd2fSRobert Watson } else if (error)
29295fab37eSRobert Watson return (error);
29395fab37eSRobert Watson
294fa765671SRobert Watson MAC_POLICY_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp,
295eb542415SRobert Watson dvp->v_label, vp, vp->v_label, cnp);
29695fab37eSRobert Watson
297763bbd2fSRobert Watson if (error) {
298763bbd2fSRobert Watson VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
29995fab37eSRobert Watson return (error);
30095fab37eSRobert Watson }
30195fab37eSRobert Watson
302763bbd2fSRobert Watson error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
303763bbd2fSRobert Watson if (error == EOPNOTSUPP)
304bd8a9c45SRobert Watson error = 0;
30595fab37eSRobert Watson
30695fab37eSRobert Watson return (error);
30795fab37eSRobert Watson }
30895fab37eSRobert Watson
30995fab37eSRobert Watson static int
mac_vnode_setlabel_extattr(struct ucred * cred,struct vnode * vp,struct label * intlabel)31030d239bcSRobert Watson mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
311763bbd2fSRobert Watson struct label *intlabel)
31295fab37eSRobert Watson {
31395fab37eSRobert Watson int error;
31495fab37eSRobert Watson
31530d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr");
31695fab37eSRobert Watson
317763bbd2fSRobert Watson error = VOP_OPENEXTATTR(vp, cred, curthread);
318763bbd2fSRobert Watson if (error == EOPNOTSUPP) {
319763bbd2fSRobert Watson if (ea_warn_once == 0) {
320763bbd2fSRobert Watson printf("Warning: transactions not supported "
321763bbd2fSRobert Watson "in EA write.\n");
322763bbd2fSRobert Watson ea_warn_once = 1;
32395fab37eSRobert Watson }
324763bbd2fSRobert Watson } else if (error)
32595fab37eSRobert Watson return (error);
32695fab37eSRobert Watson
327fa765671SRobert Watson MAC_POLICY_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label,
328fa765671SRobert Watson intlabel);
32995fab37eSRobert Watson
330763bbd2fSRobert Watson if (error) {
331763bbd2fSRobert Watson VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
33295fab37eSRobert Watson return (error);
33395fab37eSRobert Watson }
33495fab37eSRobert Watson
335763bbd2fSRobert Watson error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
336763bbd2fSRobert Watson if (error == EOPNOTSUPP)
337bd8a9c45SRobert Watson error = 0;
338763bbd2fSRobert Watson
339763bbd2fSRobert Watson return (error);
34095fab37eSRobert Watson }
34195fab37eSRobert Watson
342670cb89bSRobert Watson void
mac_vnode_execve_transition(struct ucred * old,struct ucred * new,struct vnode * vp,struct label * interpvplabel,struct image_params * imgp)34330d239bcSRobert Watson mac_vnode_execve_transition(struct ucred *old, struct ucred *new,
344a7f3aac7SRobert Watson struct vnode *vp, struct label *interpvplabel, struct image_params *imgp)
34595fab37eSRobert Watson {
34695fab37eSRobert Watson
34730d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition");
34895fab37eSRobert Watson
349fa765671SRobert Watson MAC_POLICY_PERFORM(vnode_execve_transition, old, new, vp,
350fa765671SRobert Watson vp->v_label, interpvplabel, imgp, imgp->execlabel);
35195fab37eSRobert Watson }
35295fab37eSRobert Watson
35395fab37eSRobert Watson int
mac_vnode_execve_will_transition(struct ucred * old,struct vnode * vp,struct label * interpvplabel,struct image_params * imgp)35430d239bcSRobert Watson mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
355a7f3aac7SRobert Watson struct label *interpvplabel, struct image_params *imgp)
35695fab37eSRobert Watson {
357763bbd2fSRobert Watson int result;
35895fab37eSRobert Watson
35930d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition");
3604443e9ffSRobert Watson
36195fab37eSRobert Watson result = 0;
36240202729SRobert Watson /* No sleeping since the process lock will be held by the caller. */
363fa765671SRobert Watson MAC_POLICY_BOOLEAN_NOSLEEP(vnode_execve_will_transition, ||, old, vp,
36440202729SRobert Watson vp->v_label, interpvplabel, imgp, imgp->execlabel);
36595fab37eSRobert Watson
36695fab37eSRobert Watson return (result);
36795fab37eSRobert Watson }
36895fab37eSRobert Watson
3692087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *",
3702087a58cSRobert Watson "struct vnode *", "accmode_t");
3712087a58cSRobert Watson
37295fab37eSRobert Watson int
mac_vnode_check_access_impl(struct ucred * cred,struct vnode * vp,accmode_t accmode)37318f67bc4SMateusz Guzik mac_vnode_check_access_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode)
37495fab37eSRobert Watson {
37595fab37eSRobert Watson int error;
37695fab37eSRobert Watson
37730d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access");
37895fab37eSRobert Watson
379fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode);
3802087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_access, error, cred, vp, accmode);
3812087a58cSRobert Watson
38295fab37eSRobert Watson return (error);
38395fab37eSRobert Watson }
38495fab37eSRobert Watson
3852087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(vnode_check_chdir, "struct ucred *",
3862087a58cSRobert Watson "struct vnode *");
3872087a58cSRobert Watson
38895fab37eSRobert Watson int
mac_vnode_check_chdir(struct ucred * cred,struct vnode * dvp)38930d239bcSRobert Watson mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
39095fab37eSRobert Watson {
39195fab37eSRobert Watson int error;
39295fab37eSRobert Watson
39330d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir");
39495fab37eSRobert Watson
395fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
3962087a58cSRobert Watson MAC_CHECK_PROBE2(vnode_check_chdir, error, cred, dvp);
3972087a58cSRobert Watson
39895fab37eSRobert Watson return (error);
39995fab37eSRobert Watson }
40095fab37eSRobert Watson
4012087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(vnode_check_chroot, "struct ucred *",
4022087a58cSRobert Watson "struct vnode *");
4032087a58cSRobert Watson
40495fab37eSRobert Watson int
mac_vnode_check_chroot(struct ucred * cred,struct vnode * dvp)40530d239bcSRobert Watson mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
40695fab37eSRobert Watson {
40795fab37eSRobert Watson int error;
40895fab37eSRobert Watson
40930d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot");
41095fab37eSRobert Watson
411fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
4122087a58cSRobert Watson MAC_CHECK_PROBE2(vnode_check_chroot, error, cred, dvp);
4132087a58cSRobert Watson
41495fab37eSRobert Watson return (error);
41595fab37eSRobert Watson }
41695fab37eSRobert Watson
4172087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_create, "struct ucred *",
4182087a58cSRobert Watson "struct vnode *", "struct componentname *", "struct vattr *");
4192087a58cSRobert Watson
42095fab37eSRobert Watson int
mac_vnode_check_create(struct ucred * cred,struct vnode * dvp,struct componentname * cnp,struct vattr * vap)42130d239bcSRobert Watson mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
42295fab37eSRobert Watson struct componentname *cnp, struct vattr *vap)
42395fab37eSRobert Watson {
42495fab37eSRobert Watson int error;
42595fab37eSRobert Watson
42630d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create");
42795fab37eSRobert Watson
428fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp,
429fa765671SRobert Watson vap);
4302087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_create, error, cred, dvp, cnp, vap);
4312087a58cSRobert Watson
43295fab37eSRobert Watson return (error);
43395fab37eSRobert Watson }
43495fab37eSRobert Watson
4352087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_deleteacl, "struct ucred *",
4362087a58cSRobert Watson "struct vnode *", "acl_type_t");
4372087a58cSRobert Watson
43895fab37eSRobert Watson int
mac_vnode_check_deleteacl(struct ucred * cred,struct vnode * vp,acl_type_t type)43930d239bcSRobert Watson mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
44095fab37eSRobert Watson acl_type_t type)
44195fab37eSRobert Watson {
44295fab37eSRobert Watson int error;
44395fab37eSRobert Watson
44430d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl");
44595fab37eSRobert Watson
446fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
4472087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_deleteacl, error, cred, vp, type);
4482087a58cSRobert Watson
44995fab37eSRobert Watson return (error);
45095fab37eSRobert Watson }
45195fab37eSRobert Watson
4522087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_deleteextattr, "struct ucred *",
4532087a58cSRobert Watson "struct vnode *", "int", "const char *");
4542087a58cSRobert Watson
45595fab37eSRobert Watson int
mac_vnode_check_deleteextattr(struct ucred * cred,struct vnode * vp,int attrnamespace,const char * name)45630d239bcSRobert Watson mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
457c096756cSRobert Watson int attrnamespace, const char *name)
458c096756cSRobert Watson {
459c096756cSRobert Watson int error;
460c096756cSRobert Watson
46130d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr");
462c096756cSRobert Watson
463fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
464c096756cSRobert Watson attrnamespace, name);
4652087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_deleteextattr, error, cred, vp,
4662087a58cSRobert Watson attrnamespace, name);
4672087a58cSRobert Watson
468c096756cSRobert Watson return (error);
469c096756cSRobert Watson }
470c096756cSRobert Watson
4712087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_exec, "struct ucred *", "struct vnode *",
4722087a58cSRobert Watson "struct image_params *");
4732087a58cSRobert Watson
474c096756cSRobert Watson int
mac_vnode_check_exec(struct ucred * cred,struct vnode * vp,struct image_params * imgp)47530d239bcSRobert Watson mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
476670cb89bSRobert Watson struct image_params *imgp)
47795fab37eSRobert Watson {
47895fab37eSRobert Watson int error;
47995fab37eSRobert Watson
48030d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec");
481851704bbSRobert Watson
482fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
4839fa3506eSRobert Watson imgp->execlabel);
4842087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_exec, error, cred, vp, imgp);
48595fab37eSRobert Watson
48695fab37eSRobert Watson return (error);
48795fab37eSRobert Watson }
48895fab37eSRobert Watson
4892087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_getacl, "struct ucred *",
4902087a58cSRobert Watson "struct vnode *", "acl_type_t");
4912087a58cSRobert Watson
49295fab37eSRobert Watson int
mac_vnode_check_getacl(struct ucred * cred,struct vnode * vp,acl_type_t type)49330d239bcSRobert Watson mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
49495fab37eSRobert Watson {
49595fab37eSRobert Watson int error;
49695fab37eSRobert Watson
49730d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl");
49895fab37eSRobert Watson
499fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
5002087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_getacl, error, cred, vp, type);
5012087a58cSRobert Watson
50295fab37eSRobert Watson return (error);
50395fab37eSRobert Watson }
50495fab37eSRobert Watson
5052087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_getextattr, "struct ucred *",
5062087a58cSRobert Watson "struct vnode *", "int", "const char *");
5072087a58cSRobert Watson
50895fab37eSRobert Watson int
mac_vnode_check_getextattr(struct ucred * cred,struct vnode * vp,int attrnamespace,const char * name)50930d239bcSRobert Watson mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
510fefd0ac8SRobert Watson int attrnamespace, const char *name)
51195fab37eSRobert Watson {
51295fab37eSRobert Watson int error;
51395fab37eSRobert Watson
51430d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr");
51595fab37eSRobert Watson
516fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
517fefd0ac8SRobert Watson attrnamespace, name);
5182087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_getextattr, error, cred, vp,
5192087a58cSRobert Watson attrnamespace, name);
5202087a58cSRobert Watson
52195fab37eSRobert Watson return (error);
52295fab37eSRobert Watson }
52395fab37eSRobert Watson
5242087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_link, "struct ucred *", "struct vnode *",
5252087a58cSRobert Watson "struct vnode *", "struct componentname *");
5262087a58cSRobert Watson
52795fab37eSRobert Watson int
mac_vnode_check_link(struct ucred * cred,struct vnode * dvp,struct vnode * vp,struct componentname * cnp)52830d239bcSRobert Watson mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
5290a694196SRobert Watson struct vnode *vp, struct componentname *cnp)
5300a694196SRobert Watson {
5310a694196SRobert Watson int error;
5320a694196SRobert Watson
53330d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link");
53430d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link");
5350a694196SRobert Watson
536fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
537eca8a663SRobert Watson vp->v_label, cnp);
5382087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_link, error, cred, dvp, vp, cnp);
5392087a58cSRobert Watson
5400a694196SRobert Watson return (error);
5410a694196SRobert Watson }
5420a694196SRobert Watson
5432087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_listextattr, "struct ucred *",
5442087a58cSRobert Watson "struct vnode *", "int");
5452087a58cSRobert Watson
5460a694196SRobert Watson int
mac_vnode_check_listextattr(struct ucred * cred,struct vnode * vp,int attrnamespace)54730d239bcSRobert Watson mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
548c096756cSRobert Watson int attrnamespace)
549c096756cSRobert Watson {
550c096756cSRobert Watson int error;
551c096756cSRobert Watson
55230d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr");
553c096756cSRobert Watson
554fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
555c096756cSRobert Watson attrnamespace);
5562087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_listextattr, error, cred, vp,
5572087a58cSRobert Watson attrnamespace);
5582087a58cSRobert Watson
559c096756cSRobert Watson return (error);
560c096756cSRobert Watson }
561c096756cSRobert Watson
5622087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct ucred *",
5632087a58cSRobert Watson "struct vnode *", "struct componentname *");
5642087a58cSRobert Watson
565c096756cSRobert Watson int
mac_vnode_check_lookup_impl(struct ucred * cred,struct vnode * dvp,struct componentname * cnp)5666ebab6baSMateusz Guzik mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp,
56795fab37eSRobert Watson struct componentname *cnp)
56895fab37eSRobert Watson {
56995fab37eSRobert Watson int error;
57095fab37eSRobert Watson
57130d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
57295fab37eSRobert Watson
5736ebab6baSMateusz Guzik if ((cnp->cn_flags & NOMACCHECK) != 0)
5746ebab6baSMateusz Guzik return (0);
575fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
5762087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp);
5772087a58cSRobert Watson
57895fab37eSRobert Watson return (error);
57995fab37eSRobert Watson }
58095fab37eSRobert Watson
5812087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucred *", "struct vnode *",
5822087a58cSRobert Watson "int", "int");
5832087a58cSRobert Watson
584e183f80eSRobert Watson int
mac_vnode_check_mmap_impl(struct ucred * cred,struct vnode * vp,int prot,int flags)5856ebab6baSMateusz Guzik mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot,
586a7f3aac7SRobert Watson int flags)
58795fab37eSRobert Watson {
588e183f80eSRobert Watson int error;
58995fab37eSRobert Watson
59030d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap");
591ca7850c3SRobert Watson
592fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
5932087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_mmap, error, cred, vp, prot, flags);
5942087a58cSRobert Watson
595e183f80eSRobert Watson return (error);
596e183f80eSRobert Watson }
597e183f80eSRobert Watson
598e183f80eSRobert Watson void
mac_vnode_check_mmap_downgrade(struct ucred * cred,struct vnode * vp,int * prot)599a7f3aac7SRobert Watson mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
600a7f3aac7SRobert Watson int *prot)
601e183f80eSRobert Watson {
602e183f80eSRobert Watson int result = *prot;
603e183f80eSRobert Watson
60430d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade");
605e183f80eSRobert Watson
606fa765671SRobert Watson MAC_POLICY_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label,
607e183f80eSRobert Watson &result);
608e183f80eSRobert Watson
609e183f80eSRobert Watson *prot = result;
610e183f80eSRobert Watson }
611e183f80eSRobert Watson
6122087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_mprotect, "struct ucred *",
6132087a58cSRobert Watson "struct vnode *", "int");
6142087a58cSRobert Watson
615e183f80eSRobert Watson int
mac_vnode_check_mprotect(struct ucred * cred,struct vnode * vp,int prot)61630d239bcSRobert Watson mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
617e183f80eSRobert Watson {
618e183f80eSRobert Watson int error;
619e183f80eSRobert Watson
62030d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect");
621e183f80eSRobert Watson
622fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
6232087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_mprotect, error, cred, vp, prot);
6242087a58cSRobert Watson
625e183f80eSRobert Watson return (error);
62695fab37eSRobert Watson }
62795fab37eSRobert Watson
6282087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucred *", "struct vnode *",
6292087a58cSRobert Watson "accmode_t");
6302087a58cSRobert Watson
63195fab37eSRobert Watson int
mac_vnode_check_open_impl(struct ucred * cred,struct vnode * vp,accmode_t accmode)6326ebab6baSMateusz Guzik mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, accmode_t accmode)
63395fab37eSRobert Watson {
63495fab37eSRobert Watson int error;
63595fab37eSRobert Watson
63630d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open");
63795fab37eSRobert Watson
638fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_open, cred, vp, vp->v_label, accmode);
639a959b1f0SRobert Watson MAC_CHECK_PROBE3(vnode_check_open, error, cred, vp, accmode);
640a959b1f0SRobert Watson
64195fab37eSRobert Watson return (error);
64295fab37eSRobert Watson }
64395fab37eSRobert Watson
6442087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_poll, "struct ucred *", "struct ucred *",
6452087a58cSRobert Watson "struct vnode *");
6462087a58cSRobert Watson
64795fab37eSRobert Watson int
mac_vnode_check_poll(struct ucred * active_cred,struct ucred * file_cred,struct vnode * vp)64830d239bcSRobert Watson mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
649177142e4SRobert Watson struct vnode *vp)
6507f724f8bSRobert Watson {
6517f724f8bSRobert Watson int error;
6527f724f8bSRobert Watson
65330d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll");
6547f724f8bSRobert Watson
655fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_poll, active_cred, file_cred, vp,
656eca8a663SRobert Watson vp->v_label);
6572087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_poll, error, active_cred, file_cred,
6582087a58cSRobert Watson vp);
6597f724f8bSRobert Watson
6607f724f8bSRobert Watson return (error);
6617f724f8bSRobert Watson }
6627f724f8bSRobert Watson
6632087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucred *", "struct ucred *",
6642087a58cSRobert Watson "struct vnode *");
6652087a58cSRobert Watson
6667f724f8bSRobert Watson int
mac_vnode_check_read_impl(struct ucred * active_cred,struct ucred * file_cred,struct vnode * vp)6676ebab6baSMateusz Guzik mac_vnode_check_read_impl(struct ucred *active_cred, struct ucred *file_cred,
668177142e4SRobert Watson struct vnode *vp)
6697f724f8bSRobert Watson {
6707f724f8bSRobert Watson int error;
6717f724f8bSRobert Watson
67230d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read");
6737f724f8bSRobert Watson
674fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_read, active_cred, file_cred, vp,
675eca8a663SRobert Watson vp->v_label);
6762087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_read, error, active_cred, file_cred,
6772087a58cSRobert Watson vp);
6787f724f8bSRobert Watson
6797f724f8bSRobert Watson return (error);
6807f724f8bSRobert Watson }
6817f724f8bSRobert Watson
6822087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(vnode_check_readdir, "struct ucred *",
6832087a58cSRobert Watson "struct vnode *");
6842087a58cSRobert Watson
6857f724f8bSRobert Watson int
mac_vnode_check_readdir(struct ucred * cred,struct vnode * dvp)68630d239bcSRobert Watson mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
68795fab37eSRobert Watson {
68895fab37eSRobert Watson int error;
68995fab37eSRobert Watson
69030d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir");
69195fab37eSRobert Watson
692fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
6932087a58cSRobert Watson MAC_CHECK_PROBE2(vnode_check_readdir, error, cred, dvp);
6942087a58cSRobert Watson
69595fab37eSRobert Watson return (error);
69695fab37eSRobert Watson }
69795fab37eSRobert Watson
6982087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(vnode_check_readlink, "struct ucred *",
6992087a58cSRobert Watson "struct vnode *");
7002087a58cSRobert Watson
70195fab37eSRobert Watson int
mac_vnode_check_readlink_impl(struct ucred * cred,struct vnode * vp)70277589de8SMateusz Guzik mac_vnode_check_readlink_impl(struct ucred *cred, struct vnode *vp)
70395fab37eSRobert Watson {
70495fab37eSRobert Watson int error;
70595fab37eSRobert Watson
70630d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink");
70795fab37eSRobert Watson
708fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
7092087a58cSRobert Watson MAC_CHECK_PROBE2(vnode_check_readlink, error, cred, vp);
7102087a58cSRobert Watson
71195fab37eSRobert Watson return (error);
71295fab37eSRobert Watson }
71395fab37eSRobert Watson
7142087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_relabel, "struct ucred *",
7152087a58cSRobert Watson "struct vnode *", "struct label *");
7162087a58cSRobert Watson
71795fab37eSRobert Watson static int
mac_vnode_check_relabel(struct ucred * cred,struct vnode * vp,struct label * newlabel)71830d239bcSRobert Watson mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
71995fab37eSRobert Watson struct label *newlabel)
72095fab37eSRobert Watson {
72195fab37eSRobert Watson int error;
72295fab37eSRobert Watson
72330d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel");
72495fab37eSRobert Watson
725fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
7262087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_relabel, error, cred, vp, newlabel);
72795fab37eSRobert Watson
72895fab37eSRobert Watson return (error);
72995fab37eSRobert Watson }
73095fab37eSRobert Watson
7312087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_from, "struct ucred *",
7322087a58cSRobert Watson "struct vnode *", "struct vnode *", "struct componentname *");
7332087a58cSRobert Watson
73495fab37eSRobert Watson int
mac_vnode_check_rename_from(struct ucred * cred,struct vnode * dvp,struct vnode * vp,struct componentname * cnp)73530d239bcSRobert Watson mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
73695fab37eSRobert Watson struct vnode *vp, struct componentname *cnp)
73795fab37eSRobert Watson {
73895fab37eSRobert Watson int error;
73995fab37eSRobert Watson
74030d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from");
74130d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from");
74295fab37eSRobert Watson
743fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
744eca8a663SRobert Watson vp->v_label, cnp);
7452087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_rename_from, error, cred, dvp, vp, cnp);
7462087a58cSRobert Watson
74795fab37eSRobert Watson return (error);
74895fab37eSRobert Watson }
74995fab37eSRobert Watson
7502087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_to, "struct ucred *",
7512087a58cSRobert Watson "struct vnode *", "struct vnode *", "struct componentname *");
7522087a58cSRobert Watson
75395fab37eSRobert Watson int
mac_vnode_check_rename_to(struct ucred * cred,struct vnode * dvp,struct vnode * vp,int samedir,struct componentname * cnp)75430d239bcSRobert Watson mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
75595fab37eSRobert Watson struct vnode *vp, int samedir, struct componentname *cnp)
75695fab37eSRobert Watson {
75795fab37eSRobert Watson int error;
75895fab37eSRobert Watson
75930d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to");
76030d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to");
76195fab37eSRobert Watson
762fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
763eca8a663SRobert Watson vp != NULL ? vp->v_label : NULL, samedir, cnp);
7642087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_rename_to, error, cred, dvp, vp, cnp);
76595fab37eSRobert Watson return (error);
76695fab37eSRobert Watson }
76795fab37eSRobert Watson
7682087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(vnode_check_revoke, "struct ucred *",
7692087a58cSRobert Watson "struct vnode *");
7702087a58cSRobert Watson
77195fab37eSRobert Watson int
mac_vnode_check_revoke(struct ucred * cred,struct vnode * vp)77230d239bcSRobert Watson mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
77395fab37eSRobert Watson {
77495fab37eSRobert Watson int error;
77595fab37eSRobert Watson
77630d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke");
77795fab37eSRobert Watson
778fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
7792087a58cSRobert Watson MAC_CHECK_PROBE2(vnode_check_revoke, error, cred, vp);
7802087a58cSRobert Watson
78195fab37eSRobert Watson return (error);
78295fab37eSRobert Watson }
78395fab37eSRobert Watson
7842087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_setacl, "struct ucred *",
78592c6196cSMark Johnston "struct vnode *", "acl_type_t", "struct acl *");
7862087a58cSRobert Watson
78795fab37eSRobert Watson int
mac_vnode_check_setacl(struct ucred * cred,struct vnode * vp,acl_type_t type,struct acl * acl)78830d239bcSRobert Watson mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
78995fab37eSRobert Watson struct acl *acl)
79095fab37eSRobert Watson {
79195fab37eSRobert Watson int error;
79295fab37eSRobert Watson
79330d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl");
79495fab37eSRobert Watson
795fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
7962087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_setacl, error, cred, vp, type, acl);
7972087a58cSRobert Watson
79895fab37eSRobert Watson return (error);
79995fab37eSRobert Watson }
80095fab37eSRobert Watson
8012087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_setextattr, "struct ucred *",
8022087a58cSRobert Watson "struct vnode *", "int", "const char *");
8032087a58cSRobert Watson
80495fab37eSRobert Watson int
mac_vnode_check_setextattr(struct ucred * cred,struct vnode * vp,int attrnamespace,const char * name)80530d239bcSRobert Watson mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
806fefd0ac8SRobert Watson int attrnamespace, const char *name)
80795fab37eSRobert Watson {
80895fab37eSRobert Watson int error;
80995fab37eSRobert Watson
81030d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr");
81195fab37eSRobert Watson
812fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
813fefd0ac8SRobert Watson attrnamespace, name);
8142087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_setextattr, error, cred, vp,
8152087a58cSRobert Watson attrnamespace, name);
8162087a58cSRobert Watson
81795fab37eSRobert Watson return (error);
81895fab37eSRobert Watson }
81995fab37eSRobert Watson
8202087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_setflags, "struct ucred *",
8212087a58cSRobert Watson "struct vnode *", "u_long");
8222087a58cSRobert Watson
82395fab37eSRobert Watson int
mac_vnode_check_setflags(struct ucred * cred,struct vnode * vp,u_long flags)82430d239bcSRobert Watson mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
82595fab37eSRobert Watson {
82695fab37eSRobert Watson int error;
82795fab37eSRobert Watson
82830d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags");
82995fab37eSRobert Watson
830fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
8312087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_setflags, error, cred, vp, flags);
8322087a58cSRobert Watson
83395fab37eSRobert Watson return (error);
83495fab37eSRobert Watson }
83595fab37eSRobert Watson
8362087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_setmode, "struct ucred *",
8372087a58cSRobert Watson "struct vnode *", "mode_t");
8382087a58cSRobert Watson
83995fab37eSRobert Watson int
mac_vnode_check_setmode(struct ucred * cred,struct vnode * vp,mode_t mode)84030d239bcSRobert Watson mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
84195fab37eSRobert Watson {
84295fab37eSRobert Watson int error;
84395fab37eSRobert Watson
84430d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode");
84595fab37eSRobert Watson
846fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
8472087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_setmode, error, cred, vp, mode);
8482087a58cSRobert Watson
84995fab37eSRobert Watson return (error);
85095fab37eSRobert Watson }
85195fab37eSRobert Watson
8522087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_setowner, "struct ucred *",
8532087a58cSRobert Watson "struct vnode *", "uid_t", "gid_t");
8542087a58cSRobert Watson
85595fab37eSRobert Watson int
mac_vnode_check_setowner(struct ucred * cred,struct vnode * vp,uid_t uid,gid_t gid)85630d239bcSRobert Watson mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
85795fab37eSRobert Watson gid_t gid)
85895fab37eSRobert Watson {
85995fab37eSRobert Watson int error;
86095fab37eSRobert Watson
86130d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner");
86295fab37eSRobert Watson
863fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
8642087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_setowner, error, cred, vp, uid, gid);
8652087a58cSRobert Watson
86695fab37eSRobert Watson return (error);
86795fab37eSRobert Watson }
86895fab37eSRobert Watson
8692087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_setutimes, "struct ucred *",
8702087a58cSRobert Watson "struct vnode *", "struct timespec *", "struct timespec *");
8712087a58cSRobert Watson
87295fab37eSRobert Watson int
mac_vnode_check_setutimes(struct ucred * cred,struct vnode * vp,struct timespec atime,struct timespec mtime)87330d239bcSRobert Watson mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
87495fab37eSRobert Watson struct timespec atime, struct timespec mtime)
87595fab37eSRobert Watson {
87695fab37eSRobert Watson int error;
87795fab37eSRobert Watson
87830d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes");
87995fab37eSRobert Watson
880fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
88195fab37eSRobert Watson mtime);
8822087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_setutimes, error, cred, vp, &atime,
8832087a58cSRobert Watson &mtime);
8842087a58cSRobert Watson
88595fab37eSRobert Watson return (error);
88695fab37eSRobert Watson }
88795fab37eSRobert Watson
8882087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucred *", "struct ucred *",
8892087a58cSRobert Watson "struct vnode *");
8902087a58cSRobert Watson
89195fab37eSRobert Watson int
mac_vnode_check_stat_impl(struct ucred * active_cred,struct ucred * file_cred,struct vnode * vp)8926ebab6baSMateusz Guzik mac_vnode_check_stat_impl(struct ucred *active_cred, struct ucred *file_cred,
893177142e4SRobert Watson struct vnode *vp)
89495fab37eSRobert Watson {
89595fab37eSRobert Watson int error;
89695fab37eSRobert Watson
89730d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat");
89895fab37eSRobert Watson
899fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_stat, active_cred, file_cred, vp,
900eca8a663SRobert Watson vp->v_label);
9012087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_stat, error, active_cred, file_cred,
9022087a58cSRobert Watson vp);
9032087a58cSRobert Watson
90495fab37eSRobert Watson return (error);
90595fab37eSRobert Watson }
90695fab37eSRobert Watson
9072087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE4(vnode_check_unlink, "struct ucred *",
9082087a58cSRobert Watson "struct vnode *", "struct vnode *", "struct componentname *");
9092087a58cSRobert Watson
9107f724f8bSRobert Watson int
mac_vnode_check_unlink(struct ucred * cred,struct vnode * dvp,struct vnode * vp,struct componentname * cnp)911a7f3aac7SRobert Watson mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
912a7f3aac7SRobert Watson struct vnode *vp, struct componentname *cnp)
91345e0f3d6SRobert Watson {
91445e0f3d6SRobert Watson int error;
91545e0f3d6SRobert Watson
91630d239bcSRobert Watson ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink");
91730d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink");
91845e0f3d6SRobert Watson
919fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
92045e0f3d6SRobert Watson vp->v_label, cnp);
9212087a58cSRobert Watson MAC_CHECK_PROBE4(vnode_check_unlink, error, cred, dvp, vp, cnp);
9222087a58cSRobert Watson
92345e0f3d6SRobert Watson return (error);
92445e0f3d6SRobert Watson }
92545e0f3d6SRobert Watson
9262087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucred *",
9272087a58cSRobert Watson "struct ucred *", "struct vnode *");
9282087a58cSRobert Watson
92945e0f3d6SRobert Watson int
mac_vnode_check_write_impl(struct ucred * active_cred,struct ucred * file_cred,struct vnode * vp)9306ebab6baSMateusz Guzik mac_vnode_check_write_impl(struct ucred *active_cred, struct ucred *file_cred,
931177142e4SRobert Watson struct vnode *vp)
9327f724f8bSRobert Watson {
9337f724f8bSRobert Watson int error;
9347f724f8bSRobert Watson
93530d239bcSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write");
9367f724f8bSRobert Watson
937fa765671SRobert Watson MAC_POLICY_CHECK(vnode_check_write, active_cred, file_cred, vp,
938eca8a663SRobert Watson vp->v_label);
9392087a58cSRobert Watson MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred,
9402087a58cSRobert Watson vp);
9417f724f8bSRobert Watson
9427f724f8bSRobert Watson return (error);
9437f724f8bSRobert Watson }
9447f724f8bSRobert Watson
94595fab37eSRobert Watson void
mac_vnode_relabel(struct ucred * cred,struct vnode * vp,struct label * newlabel)946a7f3aac7SRobert Watson mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
947a7f3aac7SRobert Watson struct label *newlabel)
94895fab37eSRobert Watson {
94995fab37eSRobert Watson
950fa765671SRobert Watson MAC_POLICY_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel);
95195fab37eSRobert Watson }
95295fab37eSRobert Watson
95395fab37eSRobert Watson void
mac_mount_create(struct ucred * cred,struct mount * mp)95430d239bcSRobert Watson mac_mount_create(struct ucred *cred, struct mount *mp)
95595fab37eSRobert Watson {
95695fab37eSRobert Watson
957fa765671SRobert Watson MAC_POLICY_PERFORM(mount_create, cred, mp, mp->mnt_label);
95895fab37eSRobert Watson }
95995fab37eSRobert Watson
9602087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(mount_check_stat, "struct ucred *",
9612087a58cSRobert Watson "struct mount *");
9622087a58cSRobert Watson
96395fab37eSRobert Watson int
mac_mount_check_stat(struct ucred * cred,struct mount * mount)96430d239bcSRobert Watson mac_mount_check_stat(struct ucred *cred, struct mount *mount)
96595fab37eSRobert Watson {
96695fab37eSRobert Watson int error;
96795fab37eSRobert Watson
968fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(mount_check_stat, cred, mount, mount->mnt_label);
9692087a58cSRobert Watson MAC_CHECK_PROBE2(mount_check_stat, error, cred, mount);
97095fab37eSRobert Watson
97195fab37eSRobert Watson return (error);
97295fab37eSRobert Watson }
97395fab37eSRobert Watson
97495fab37eSRobert Watson void
mac_devfs_create_device(struct ucred * cred,struct mount * mp,struct cdev * dev,struct devfs_dirent * de)97530d239bcSRobert Watson mac_devfs_create_device(struct ucred *cred, struct mount *mp,
976d26dd2d9SRobert Watson struct cdev *dev, struct devfs_dirent *de)
97795fab37eSRobert Watson {
97895fab37eSRobert Watson
979fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(devfs_create_device, cred, mp, dev, de,
98040202729SRobert Watson de->de_label);
98195fab37eSRobert Watson }
98295fab37eSRobert Watson
98374e62b1bSRobert Watson void
mac_devfs_create_symlink(struct ucred * cred,struct mount * mp,struct devfs_dirent * dd,struct devfs_dirent * de)98430d239bcSRobert Watson mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
985990b4b2dSRobert Watson struct devfs_dirent *dd, struct devfs_dirent *de)
98674e62b1bSRobert Watson {
98774e62b1bSRobert Watson
988fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(devfs_create_symlink, cred, mp, dd,
98940202729SRobert Watson dd->de_label, de, de->de_label);
99074e62b1bSRobert Watson }
99174e62b1bSRobert Watson
99295fab37eSRobert Watson void
mac_devfs_create_directory(struct mount * mp,char * dirname,int dirnamelen,struct devfs_dirent * de)99330d239bcSRobert Watson mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
99495fab37eSRobert Watson struct devfs_dirent *de)
99595fab37eSRobert Watson {
99695fab37eSRobert Watson
997fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(devfs_create_directory, mp, dirname,
998fa765671SRobert Watson dirnamelen, de, de->de_label);
99995fab37eSRobert Watson }
100095fab37eSRobert Watson
100195fab37eSRobert Watson /*
1002a7f3aac7SRobert Watson * Implementation of VOP_SETLABEL() that relies on extended attributes to
1003a7f3aac7SRobert Watson * store label data. Can be referenced by filesystems supporting extended
1004a7f3aac7SRobert Watson * attributes.
100595fab37eSRobert Watson */
100695fab37eSRobert Watson int
vop_stdsetlabel_ea(struct vop_setlabel_args * ap)100795fab37eSRobert Watson vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
100895fab37eSRobert Watson {
100995fab37eSRobert Watson struct vnode *vp = ap->a_vp;
101095fab37eSRobert Watson struct label *intlabel = ap->a_label;
101195fab37eSRobert Watson int error;
101295fab37eSRobert Watson
101395fab37eSRobert Watson ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
101495fab37eSRobert Watson
1015763bbd2fSRobert Watson if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
1016763bbd2fSRobert Watson return (EOPNOTSUPP);
101795fab37eSRobert Watson
101830d239bcSRobert Watson error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel);
101995fab37eSRobert Watson if (error)
102095fab37eSRobert Watson return (error);
102195fab37eSRobert Watson
1022*a92c6b24SRobert Watson /*
1023*a92c6b24SRobert Watson * XXXRW: See the comment below in vn_setlabel() as to why this might
1024*a92c6b24SRobert Watson * be the wrong place to call mac_vnode_relabel().
1025*a92c6b24SRobert Watson */
102630d239bcSRobert Watson mac_vnode_relabel(ap->a_cred, vp, intlabel);
102795fab37eSRobert Watson
102895fab37eSRobert Watson return (0);
102995fab37eSRobert Watson }
103095fab37eSRobert Watson
10316cc24dcbSRobert Watson int
vn_setlabel(struct vnode * vp,struct label * intlabel,struct ucred * cred)103295fab37eSRobert Watson vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
103395fab37eSRobert Watson {
103495fab37eSRobert Watson int error;
103595fab37eSRobert Watson
103695fab37eSRobert Watson if (vp->v_mount == NULL) {
103795fab37eSRobert Watson /* printf("vn_setlabel: null v_mount\n"); */
103806be2aaaSNate Lawson if (vp->v_type != VNON)
103906be2aaaSNate Lawson printf("vn_setlabel: null v_mount with non-VNON\n");
104095fab37eSRobert Watson return (EBADF);
104195fab37eSRobert Watson }
104295fab37eSRobert Watson
104395fab37eSRobert Watson if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
104495fab37eSRobert Watson return (EOPNOTSUPP);
104595fab37eSRobert Watson
104695fab37eSRobert Watson /*
104795fab37eSRobert Watson * Multi-phase commit. First check the policies to confirm the
104819d0ec03SRobert Watson * change is OK. Then commit via the filesystem. Finally, update
104919d0ec03SRobert Watson * the actual vnode label.
105095fab37eSRobert Watson */
105130d239bcSRobert Watson error = mac_vnode_check_relabel(cred, vp, intlabel);
105295fab37eSRobert Watson if (error)
105395fab37eSRobert Watson return (error);
105495fab37eSRobert Watson
105595fab37eSRobert Watson /*
105695fab37eSRobert Watson * VADMIN provides the opportunity for the filesystem to make
105719d0ec03SRobert Watson * decisions about who is and is not able to modify labels and
105819d0ec03SRobert Watson * protections on files. This might not be right. We can't assume
1059a7f3aac7SRobert Watson * VOP_SETLABEL() will do it, because we might implement that as part
1060a7f3aac7SRobert Watson * of vop_stdsetlabel_ea().
106195fab37eSRobert Watson */
106295fab37eSRobert Watson error = VOP_ACCESS(vp, VADMIN, cred, curthread);
106395fab37eSRobert Watson if (error)
106495fab37eSRobert Watson return (error);
106595fab37eSRobert Watson
106695fab37eSRobert Watson error = VOP_SETLABEL(vp, intlabel, cred, curthread);
106795fab37eSRobert Watson if (error)
106895fab37eSRobert Watson return (error);
106995fab37eSRobert Watson
1070*a92c6b24SRobert Watson /*
1071*a92c6b24SRobert Watson * It would be more symmetric if mac_vnode_relabel() was called here
1072*a92c6b24SRobert Watson * rather than in VOP_SETLABEL(), but we don't for historical reasons.
1073*a92c6b24SRobert Watson * We should think about moving it so that the filesystem is
1074*a92c6b24SRobert Watson * responsible only for persistence in VOP_SETLABEL(), not the vnode
1075*a92c6b24SRobert Watson * label update itself.
1076*a92c6b24SRobert Watson */
1077*a92c6b24SRobert Watson
107895fab37eSRobert Watson return (0);
107995fab37eSRobert Watson }
10806ebab6baSMateusz Guzik
10816ebab6baSMateusz Guzik #ifdef DEBUG_VFS_LOCKS
10826ebab6baSMateusz Guzik void
mac_vnode_assert_locked(struct vnode * vp,const char * func)10836ebab6baSMateusz Guzik mac_vnode_assert_locked(struct vnode *vp, const char *func)
10846ebab6baSMateusz Guzik {
10856ebab6baSMateusz Guzik
10866ebab6baSMateusz Guzik ASSERT_VOP_LOCKED(vp, func);
10876ebab6baSMateusz Guzik }
10886ebab6baSMateusz Guzik #endif
1089