Index: i386/i386/sys_machdep.c =================================================================== RCS file: /home/ncvs/src/sys/i386/i386/sys_machdep.c,v retrieving revision 1.104 diff -u -r1.104 sys_machdep.c --- i386/i386/sys_machdep.c 26 Dec 2005 00:07:19 -0000 1.104 +++ i386/i386/sys_machdep.c 26 Mar 2006 21:58:10 -0000 @@ -286,7 +286,8 @@ char *iomap; #ifdef MAC - if ((error = mac_check_sysarch_ioperm(td->td_ucred)) != 0) + error = mac_check_sysarch_ioperm(td->td_ucred); + if (error != 0) return (error); #endif if ((error = suser(td)) != 0) Index: kern/kern_alq.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_alq.c,v retrieving revision 1.14 diff -u -r1.14 kern_alq.c --- kern/kern_alq.c 27 Jan 2006 11:25:06 -0000 1.14 +++ kern/kern_alq.c 26 Mar 2006 21:58:10 -0000 @@ -250,6 +250,9 @@ struct ale *alstart; int totlen; int iov; +#ifdef MAC + int error; +#endif vp = alq->aq_vp; td = curthread; @@ -298,7 +301,8 @@ * XXX: VOP_WRITE error checks are ignored. */ #ifdef MAC - if (mac_check_vnode_write(alq->aq_cred, NOCRED, vp) == 0) + error = mac_check_vnode_write(alq->aq_cred, NOCRED, vp); + if (error == 0) #endif VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, alq->aq_cred); VOP_UNLOCK(vp, 0, td); Index: kern/kern_jail.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_jail.c,v retrieving revision 1.51 diff -u -r1.51 kern_jail.c --- kern/kern_jail.c 28 Sep 2005 00:30:56 -0000 1.51 +++ kern/kern_jail.c 26 Mar 2006 21:58:10 -0000 @@ -225,7 +225,8 @@ if ((error = change_dir(pr->pr_root, td)) != 0) goto e_unlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root))) + error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root); + if (error) goto e_unlock; #endif VOP_UNLOCK(pr->pr_root, 0, td); Index: kern/kern_mac.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_mac.c,v retrieving revision 1.120 diff -u -r1.120 kern_mac.c --- kern/kern_mac.c 19 Mar 2006 20:43:07 -0000 1.120 +++ kern/kern_mac.c 26 Mar 2006 21:58:11 -0000 @@ -570,7 +570,7 @@ } int -mac_check_structmac_consistent(struct mac *mac) +mac_structmac_consistent(struct mac *mac) { if (mac->m_buflen < 0 || @@ -596,7 +596,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -646,7 +646,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -685,7 +685,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -759,7 +759,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -844,7 +844,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -897,7 +897,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -954,7 +954,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -1046,7 +1046,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -1100,7 +1100,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); Index: kern/kern_prot.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_prot.c,v retrieving revision 1.202 diff -u -r1.202 kern_prot.c --- kern/kern_prot.c 6 Feb 2006 00:32:33 -0000 1.202 +++ kern/kern_prot.c 26 Mar 2006 21:58:12 -0000 @@ -1481,7 +1481,8 @@ if ((error = prison_check(u1, u2))) return (error); #ifdef MAC - if ((error = mac_check_cred_visible(u1, u2))) + error = mac_check_cred_visible(u1, u2); + if (error) return (error); #endif if ((error = cr_seeotheruids(u1, u2))) @@ -1542,7 +1543,8 @@ if (error) return (error); #ifdef MAC - if ((error = mac_check_proc_signal(cred, proc, signum))) + error = mac_check_proc_signal(cred, proc, signum); + if (error) return (error); #endif if ((error = cr_seeotheruids(cred, proc->p_ucred))) @@ -1661,7 +1663,8 @@ if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_sched(td->td_ucred, p))) + error = mac_check_proc_sched(td->td_ucred, p); + if (error) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1724,7 +1727,8 @@ if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_debug(td->td_ucred, p))) + error = mac_check_proc_debug(td->td_ucred, p); + if (error) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1837,7 +1841,8 @@ if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_wait(td->td_ucred, p))) + error = mac_check_proc_wait(td->td_ucred, p); + if (error) return (error); #endif #if 0 Index: kern/vfs_syscalls.c =================================================================== RCS file: /home/ncvs/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.412 diff -u -r1.412 vfs_syscalls.c --- kern/vfs_syscalls.c 21 Mar 2006 23:58:37 -0000 1.412 +++ kern/vfs_syscalls.c 26 Mar 2006 21:58:14 -0000 @@ -430,7 +430,8 @@ continue; } #ifdef MAC - if (mac_check_mount_stat(td->td_ucred, mp) != 0) { + error = mac_check_mount_stat(td->td_ucred, mp); + if (error != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } @@ -696,10 +697,10 @@ if (vp->v_type != VDIR) error = ENOTDIR; #ifdef MAC - else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { - } + if (error == 0) + error = mac_check_vnode_chdir(td->td_ucred, vp); #endif - else + if (error == 0) error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); while (!error && (mp = vp->v_mountedhere) != NULL) { int tvfslocked; @@ -856,7 +857,8 @@ if ((error = change_dir(nd.ni_vp, td)) != 0) goto e_vunlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) + error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp); + if (error) goto e_vunlock; #endif VOP_UNLOCK(nd.ni_vp, 0, td); @@ -3042,8 +3044,8 @@ if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) { - } + if (error == 0) + error = mac_check_vnode_write(td->td_ucred, NOCRED, vp); #endif else if ((error = vn_writechk(vp)) == 0 && (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) { @@ -3102,9 +3104,8 @@ if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred, - vp))) { - } + if (error == 0) + error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp); #endif else if ((error = vn_writechk(vp)) == 0) { VATTR_NULL(&vattr); Index: net/bpf.c =================================================================== RCS file: /home/ncvs/src/sys/net/bpf.c,v retrieving revision 1.163 diff -u -r1.163 bpf.c --- net/bpf.c 7 Dec 2005 21:30:47 -0000 1.163 +++ net/bpf.c 26 Mar 2006 21:58:15 -0000 @@ -1271,6 +1271,9 @@ { struct bpf_d *d; u_int slen; +#ifdef MAC + int error; +#endif /* * Lockless read to avoid cost of locking the interface if there are @@ -1292,7 +1295,8 @@ if (slen != 0) { d->bd_fcount++; #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + error = mac_check_bpfdesc_receive(d, bp->bif_ifp); + if (error == 0) #endif catchpacket(d, pkt, pktlen, slen, bcopy); } @@ -1338,6 +1342,9 @@ { struct bpf_d *d; u_int pktlen, slen; +#ifdef MAC + int error; +#endif /* * Lockless read to avoid cost of locking the interface if there are @@ -1366,7 +1373,8 @@ if (slen != 0) { d->bd_fcount++; #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + error = mac_check_bpfdesc_receive(d, bp->bif_ifp); + if (error == 0) #endif catchpacket(d, (u_char *)m, pktlen, slen, bpf_mcopy); @@ -1390,6 +1398,9 @@ struct mbuf mb; struct bpf_d *d; u_int pktlen, slen; +#ifdef MAC + int error; +#endif /* * Lockless read to avoid cost of locking the interface if there are @@ -1419,7 +1430,8 @@ if (slen != 0) { d->bd_fcount++; #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + error = mac_check_bpfdesc_receive(d, bp->bif_ifp); + if (error == 0) #endif catchpacket(d, (u_char *)&mb, pktlen, slen, bpf_mcopy); Index: netatalk/ddp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netatalk/ddp_input.c,v retrieving revision 1.29 diff -u -r1.29 ddp_input.c --- netatalk/ddp_input.c 7 Jan 2005 02:35:34 -0000 1.29 +++ netatalk/ddp_input.c 26 Mar 2006 21:58:15 -0000 @@ -136,6 +136,9 @@ struct ddpcb *ddp; int dlen, mlen; u_short cksum = 0; +#ifdef MAC + int error; +#endif bzero((caddr_t)&from, sizeof(struct sockaddr_at)); bzero((caddr_t)&to, sizeof(struct sockaddr_at)); @@ -411,7 +414,8 @@ #ifdef MAC SOCK_LOCK(ddp->ddp_socket); - if (mac_check_socket_deliver(ddp->ddp_socket, m) != 0) { + error = mac_check_socket_deliver(ddp->ddp_socket, m); + if (error != 0) { SOCK_UNLOCK(ddp->ddp_socket); goto out; } Index: netinet/raw_ip.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/raw_ip.c,v retrieving revision 1.156 diff -u -r1.156 raw_ip.c --- netinet/raw_ip.c 14 Dec 2005 22:27:48 -0000 1.156 +++ netinet/raw_ip.c 26 Mar 2006 21:58:15 -0000 @@ -140,6 +140,9 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) { int policyfail = 0; +#ifdef MAC + int error; +#endif INP_LOCK_ASSERT(last); @@ -154,7 +157,8 @@ } #endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC - if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) + error = mac_check_inpcb_deliver(last, n); + if (!policyfail && error != 0) policyfail = 1; #endif /* Check the minimum TTL for socket. */ Index: netinet/tcp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.292 diff -u -r1.292 tcp_input.c --- netinet/tcp_input.c 26 Mar 2006 01:33:41 -0000 1.292 +++ netinet/tcp_input.c 26 Mar 2006 21:58:17 -0000 @@ -456,6 +456,9 @@ struct tcphdr tcp_savetcp; short ostate = 0; #endif +#ifdef MAC + int error; +#endif #ifdef INET6 isipv6 = (mtod(m, struct ip *)->ip_v == 6) ? 1 : 0; @@ -780,7 +783,8 @@ #ifdef MAC INP_LOCK_ASSERT(inp); - if (mac_check_inpcb_deliver(inp, m)) + error = mac_check_inpcb_deliver(inp, m); + if (error) goto drop; #endif so = inp->inp_socket; Index: netinet/udp_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.182 diff -u -r1.182 udp_usrreq.c --- netinet/udp_usrreq.c 24 Jan 2006 09:08:54 -0000 1.182 +++ netinet/udp_usrreq.c 26 Mar 2006 21:58:18 -0000 @@ -442,6 +442,9 @@ #ifdef INET6 struct sockaddr_in6 udp_in6; #endif +#ifdef MAC + int error; +#endif INP_LOCK_ASSERT(last); @@ -456,7 +459,8 @@ } #endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC - if (mac_check_inpcb_deliver(last, n) != 0) { + error = mac_check_inpcb_deliver(last, n); + if (error != 0) { m_freem(n); return; } Index: security/mac/mac_internal.h =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_internal.h,v retrieving revision 1.112 diff -u -r1.112 mac_internal.h --- security/mac/mac_internal.h 22 Oct 2004 11:07:18 -0000 1.112 +++ security/mac/mac_internal.h 26 Mar 2006 21:58:18 -0000 @@ -100,7 +100,7 @@ void mac_init_label(struct label *label); void mac_destroy_label(struct label *label); -int mac_check_structmac_consistent(struct mac *mac); +int mac_structmac_consistent(struct mac *mac); int mac_allocate_slot(void); /* Index: security/mac/mac_net.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_net.c,v retrieving revision 1.117 diff -u -r1.117 mac_net.c --- security/mac/mac_net.c 5 Jul 2005 23:39:50 -0000 1.117 +++ security/mac/mac_net.c 26 Mar 2006 21:58:18 -0000 @@ -426,7 +426,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); @@ -467,7 +467,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); Index: security/mac/mac_process.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_process.c,v retrieving revision 1.112 diff -u -r1.112 mac_process.c --- security/mac/mac_process.c 2 Mar 2006 22:13:28 -0000 1.112 +++ security/mac/mac_process.c 26 Mar 2006 21:58:19 -0000 @@ -249,7 +249,7 @@ if (error) return (error); - error = mac_check_structmac_consistent(&mac); + error = mac_structmac_consistent(&mac); if (error) return (error); Index: security/mac/mac_socket.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac/mac_socket.c,v retrieving revision 1.4 diff -u -r1.4 mac_socket.c --- security/mac/mac_socket.c 5 Jul 2005 22:49:09 -0000 1.4 +++ security/mac/mac_socket.c 26 Mar 2006 21:58:19 -0000 @@ -503,7 +503,7 @@ char *buffer; int error; - error = mac_check_structmac_consistent(mac); + error = mac_structmac_consistent(mac); if (error) return (error); @@ -533,7 +533,7 @@ struct label *intlabel; int error; - error = mac_check_structmac_consistent(mac); + error = mac_structmac_consistent(mac); if (error) return (error); @@ -569,7 +569,7 @@ struct label *intlabel; int error; - error = mac_check_structmac_consistent(mac); + error = mac_structmac_consistent(mac); if (error) return (error);