diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -519,7 +519,8 @@ static int mac_policy_register(struct mac_policy_conf *mpc) { - struct mac_policy_conf *tmpc; + struct mac_policy_list_head *mpc_list; + struct mac_policy_conf *last_mpc, *tmpc; int error, slot, static_entry; error = 0; @@ -539,19 +540,14 @@ static_entry = (!mac_late && !(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK)); - if (static_entry) { - LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { - if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { - error = EEXIST; - goto out; - } - } - } else { - LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { - if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { - error = EEXIST; - goto out; - } + mpc_list = (static_entry) ? &mac_static_policy_list : + &mac_policy_list; + last_mpc = NULL; + LIST_FOREACH(tmpc, mpc_list, mpc_list) { + last_mpc = tmpc; + if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { + error = EEXIST; + goto out; } } if (mpc->mpc_field_off != NULL) { @@ -567,16 +563,14 @@ mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; /* - * If we're loading a MAC module after the framework has initialized, - * it has to go into the dynamic list. If we're loading it before - * we've finished initializing, it can go into the static list with - * weaker locker requirements. + * Some modules may depend on the operations of its dependencies. + * Inserting modules in order of registration ensures operations + * that work on the module list retain dependency order. */ - if (static_entry) - LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list); + if (last_mpc == NULL) + LIST_INSERT_HEAD(mpc_list, mpc, mpc_list); else - LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); - + LIST_INSERT_AFTER(last_mpc, mpc, mpc_list); /* * Per-policy initialization. Currently, this takes place under the * exclusive lock, so policies must not sleep in their init method.