Date: Tue, 8 Oct 2002 19:58:44 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 18955 for review Message-ID: <200210090258.g992wiuL017887@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/p4db/chv.cgi?CH=18955 Change 18955 by rwatson@rwatson_tislabs on 2002/10/08 19:58:11 Back out change set 18953: wrong branch. Affected files ... .. //depot/projects/trustedbsd/mac/sys/conf/files#55 edit .. //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#29 edit .. //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.c#10 edit .. //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.h#9 edit .. //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs.h#12 edit .. //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs_vnops.c#19 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#306 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_subr.c#42 edit .. //depot/projects/trustedbsd/mac/sys/modules/Makefile#38 edit .. //depot/projects/trustedbsd/mac/sys/modules/procfs/Makefile#9 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#131 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#176 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#138 edit .. //depot/projects/trustedbsd/mac/sys/ufs/ffs/ffs_vfsops.c#20 edit .. //depot/projects/trustedbsd/mac/sys/ufs/ufs/ufs_extattr.c#21 edit .. //depot/projects/trustedbsd/mac/sys/ufs/ufs/ufs_vnops.c#51 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/conf/files#55 (text+ko) ==== @@ -759,6 +759,7 @@ fs/procfs/procfs_dbregs.c optional procfs fs/procfs/procfs_fpregs.c optional procfs fs/procfs/procfs_ioctl.c optional procfs +fs/procfs/procfs_mac.c optional procfs fs/procfs/procfs_map.c optional procfs fs/procfs/procfs_mem.c optional procfs fs/procfs/procfs_note.c optional procfs ==== //depot/projects/trustedbsd/mac/sys/fs/devfs/devfs_vnops.c#29 (text+ko) ==== @@ -167,7 +167,7 @@ de->de_vnode = vp; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - mac_associate_vnode_devfs(mp, de, vp); + mac_create_devfs_vnode(de, vp); #endif *vpp = vp; return (0); ==== //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.c#10 (text+ko) ==== @@ -153,6 +153,7 @@ dir = pfs_create_dir(root, "pid", &procfs_attr, NULL, PFS_PROCDEP); + dir->pn_refreshlabel = &procfs_piddir_refreshlabel; pfs_create_file(dir, "cmdline", &procfs_doproccmdline, NULL, NULL, PFS_RD); pfs_create_file(dir, "ctl", &procfs_doprocctl, ==== //depot/projects/trustedbsd/mac/sys/fs/procfs/procfs.h#9 (text+ko) ==== @@ -61,6 +61,9 @@ /* Attributes */ int procfs_attr(PFS_ATTR_ARGS); +/* MAC */ +int procfs_piddir_refreshlabel(PFS_REFRESHLABEL_ARGS); + /* Visibility */ int procfs_notsystem(PFS_VIS_ARGS); int procfs_candebug(PFS_VIS_ARGS); ==== //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs.h#12 (text+ko) ==== @@ -145,6 +145,15 @@ typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS); /* + * Getlabel callback + */ +#define PFS_REFRESHLABEL_ARGS \ + struct thread *td, struct proc *p, struct vnode *vp, \ + struct pfs_node *pn, struct ucred *cred +struct mac; +typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS); + +/* * Last-close callback */ #define PFS_CLOSE_ARGS \ @@ -185,6 +194,7 @@ pfs_attr_t pn_attr; pfs_vis_t pn_vis; pfs_getextattr_t pn_getextattr; + pfs_refreshlabel_t pn_refreshlabel; void *pn_data; int pn_flags; ==== //depot/projects/trustedbsd/mac/sys/fs/pseudofs/pseudofs_vnops.c#19 (text+ko) ==== @@ -28,6 +28,8 @@ * $FreeBSD: src/sys/fs/pseudofs/pseudofs_vnops.c,v 1.31 2002/09/25 02:32:40 jeff Exp $ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/kernel.h> #include <sys/systm.h> @@ -35,6 +37,7 @@ #include <sys/dirent.h> #include <sys/fcntl.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mount.h> #include <sys/mutex.h> #include <sys/namei.h> @@ -729,6 +732,50 @@ return (pfs_vncache_free(va->a_vp)); } +#ifdef MAC +/* + * Refresh the vnode label as appropriate for the pseudo-file system. + */ +static int +pfs_refreshlabel(struct vop_refreshlabel_args *va) +{ + struct vnode *vn = va->a_vp; + struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data; + struct pfs_node *pn = pvd->pvd_pn; + struct proc *proc = NULL; + int error; + + PFS_TRACE((pd->pn_name)); + + if (pn->pn_refreshlabel == NULL) { + mac_update_vnode_from_mount(vn, vn->v_mount); + return (0); + } + + /* + * This is necessary because either process' privileges may + * have changed since the last open() call. + */ + if (!pfs_visible(curthread, pn, pvd->pvd_pid)) + PFS_RETURN (EIO); + + /* XXX duplicate bits of pfs_visible() */ + if (pvd->pvd_pid != NO_PID) { + if ((proc = pfind(pvd->pvd_pid)) == NULL) + PFS_RETURN (EIO); + _PHOLD(proc); + PROC_UNLOCK(proc); + } + + error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred); + + if (proc != NULL) + PRELE(proc); + + PFS_RETURN (error); +} +#endif + /* * Set attributes */ ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#306 (text+ko) ==== @@ -143,12 +143,23 @@ &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); +static int mac_label_size = sizeof(struct oldmac); +SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, + &mac_label_size, 0, "Pre-compiled MAC label size"); + static int mac_cache_fslabel_in_vnode = 1; SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); TUNABLE_INT("security.mac.cache_fslabel_in_vnode", &mac_cache_fslabel_in_vnode); +static int mac_vnode_label_cache_hits = 0; +SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, + &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); +static int mac_vnode_label_cache_misses = 0; +SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, + &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); + static int mac_mmap_revocation = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " @@ -203,9 +214,12 @@ #endif static int error_select(int error1, int error2); +static int mac_externalize_vnode_oldmac(struct label *label, + struct oldmac *extmac); static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); +static int mac_stdcreatevnode_ea(struct vnode *vp); static void mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, @@ -213,9 +227,6 @@ static void mac_destroy_socket_label(struct label *label); -static int mac_setlabel_vnode_extattr(struct ucred *cred, - struct vnode *vp, struct label *intlabel); - MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); @@ -577,6 +588,10 @@ mpc->mpc_ops->mpo_externalize_vnode_label = mpe->mpe_function; break; + case MAC_EXTERNALIZE_VNODE_OLDMAC: + mpc->mpc_ops->mpo_externalize_vnode_oldmac = + mpe->mpe_function; + break; case MAC_INTERNALIZE_CRED_LABEL: mpc->mpc_ops->mpo_internalize_cred_label = mpe->mpe_function; @@ -617,6 +632,10 @@ mpc->mpc_ops->mpo_stdcreatevnode_ea = mpe->mpe_function; break; + case MAC_CREATE_VNODE: + mpc->mpc_ops->mpo_create_vnode = + mpe->mpe_function; + break; case MAC_CREATE_MOUNT: mpc->mpc_ops->mpo_create_mount = mpe->mpe_function; @@ -633,24 +652,20 @@ mpc->mpc_ops->mpo_update_devfsdirent = mpe->mpe_function; break; - case MAC_ASSOCIATE_VNODE_DEVFS: - mpc->mpc_ops->mpo_associate_vnode_devfs = + case MAC_UPDATE_PROCFSVNODE: + mpc->mpc_ops->mpo_update_procfsvnode = mpe->mpe_function; break; - case MAC_ASSOCIATE_VNODE_EXTATTR: - mpc->mpc_ops->mpo_associate_vnode_extattr = + case MAC_UPDATE_VNODE_FROM_EXTATTR: + mpc->mpc_ops->mpo_update_vnode_from_extattr = mpe->mpe_function; break; - case MAC_ASSOCIATE_VNODE_SINGLELABEL: - mpc->mpc_ops->mpo_associate_vnode_singlelabel = + case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: + mpc->mpc_ops->mpo_update_vnode_from_externalized = mpe->mpe_function; break; - case MAC_CREATE_VNODE_EXTATTR: - mpc->mpc_ops->mpo_create_vnode_extattr = - mpe->mpe_function; - break; - case MAC_SETLABEL_VNODE_EXTATTR: - mpc->mpc_ops->mpo_setlabel_vnode_extattr = + case MAC_UPDATE_VNODE_FROM_MOUNT: + mpc->mpc_ops->mpo_update_vnode_from_mount = mpe->mpe_function; break; case MAC_CREATE_MBUF_FROM_SOCKET: @@ -1683,6 +1698,16 @@ } static int +mac_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac) +{ + int error; + + MAC_CHECK(externalize_vnode_oldmac, label, extmac); + + return (error); +} + +static int mac_internalize_cred_label(struct label *label, struct mac *mac, struct mac_element *element_array) { @@ -1786,110 +1811,276 @@ } void -mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, - struct vnode *vp) +mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) { - MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de, - &de->de_label, vp, &vp->v_label); + MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); } -int -mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) +/* + * Support callout for policies that manage their own externalization + * using extended attributes. + */ +static int +mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); + MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, + &mp->mnt_fslabel); + + return (error); +} + +/* + * Given an externalized mac label, internalize it and stamp it on a + * vnode. + */ +static int +mac_update_vnode_from_externalized(struct vnode *vp, struct oldmac *extmac) +{ + int error; - MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp, - &vp->v_label); + MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); return (error); } +/* + * Call out to individual policies to update the label in a vnode from + * the mountpoint. + */ void -mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) +mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) { - MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp, - &vp->v_label); + MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, + &mp->mnt_fslabel); + + ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); + if (mac_cache_fslabel_in_vnode) + vp->v_vflag |= VV_CACHEDLABEL; } +/* + * Implementation of VOP_REFRESHLABEL() that relies on extended attributes + * to store label data. Can be referenced by filesystems supporting + * extended attributes. + */ int -mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct vnode *dvp, struct vnode *vp, struct componentname *cnp) +vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) { - int error; + struct vnode *vp = ap->a_vp; + struct oldmac extmac; + int buflen, error; - ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr"); - ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); - error = VOP_OPENEXTATTR(vp, cred, curthread); - if (error == EOPNOTSUPP) { - /* XXX: Optionally abort if transactions not supported. */ - printf("Warning: transactions not supported in EA write.\n"); - } else if (error) + /* + * Call out to external policies first. Order doesn't really + * matter, as long as failure of one assures failure of all. + */ + error = mac_update_vnode_from_extattr(vp, vp->v_mount); + if (error) return (error); - MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel, - dvp, &dvp->v_label, vp, &vp->v_label, cnp); + buflen = sizeof(extmac); + error = vn_extattr_get(vp, IO_NODELOCKED, + FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, + (char *)&extmac, curthread); + switch (error) { + case 0: + /* Got it */ + break; + + case ENOATTR: + /* + * Use the label from the mount point. + */ + mac_update_vnode_from_mount(vp, vp->v_mount); + return (0); - if (error) { - VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); + case EOPNOTSUPP: + default: + /* Fail horribly. */ return (error); } - error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); + if (buflen != sizeof(extmac)) + error = EPERM; /* Fail very closed. */ + if (error == 0) + error = mac_update_vnode_from_externalized(vp, &extmac); + if (error == 0) + vp->v_vflag |= VV_CACHEDLABEL; + else { + struct vattr va; - if (error == EOPNOTSUPP) - error = 0; /* XXX */ + printf("Corrupted label on %s", + vp->v_mount->mnt_stat.f_mntonname); + if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) + printf(" inum %ld", va.va_fileid); +#ifdef MAC_DEBUG + if (mac_debug_label_fallback) { + printf(", falling back.\n"); + mac_update_vnode_from_mount(vp, vp->v_mount); + error = 0; + } else { +#endif + printf(".\n"); + error = EPERM; +#ifdef MAC_DEBUG + } +#endif + } return (error); } +/* + * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle + * the labeling activity outselves. Filesystems should be careful not + * to change their minds regarding whether they support vop_refreshlabel() + * for a vnode or not. Don't cache the vnode here, allow the file + * system code to determine if it's safe to cache. If we update from + * the mount, don't cache since a change to the mount label should affect + * all vnodes. + */ static int -mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, - struct label *intlabel) +vn_refreshlabel(struct vnode *vp, struct ucred *cred) { int error; - ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); + + if (vp->v_mount == NULL) { +/* + Eventually, we probably want to special-case refreshing + of deadfs vnodes, and if there's a lock-free race somewhere, + that case might be handled here. + + mac_update_vnode_deadfs(vp); + return (0); + */ + /* printf("vn_refreshlabel: null v_mount\n"); */ + if (vp->v_type != VNON) + printf( + "vn_refreshlabel: null v_mount with non-VNON\n"); + return (EBADF); + } - error = VOP_OPENEXTATTR(vp, cred, curthread); - if (error == EOPNOTSUPP) { - /* XXX: Optionally abort if transactions not supported. */ - printf("Warning: transactions not supported in EA write.\n"); - } else if (error) - return (error); + if (vp->v_vflag & VV_CACHEDLABEL) { + mac_vnode_label_cache_hits++; + return (0); + } else + mac_vnode_label_cache_misses++; - MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel); + if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { + mac_update_vnode_from_mount(vp, vp->v_mount); + return (0); + } - if (error) { - VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); + error = VOP_REFRESHLABEL(vp, cred, curthread); + switch (error) { + case EOPNOTSUPP: + /* + * If labels are not supported on this vnode, fall back to + * the label in the mount and propagate it to the vnode. + * There should probably be some sort of policy/flag/decision + * about doing this. + */ + mac_update_vnode_from_mount(vp, vp->v_mount); + error = 0; + default: return (error); } +} + +/* + * Helper function for file systems using the vop_std*_ea() calls. This + * function must be called after EA service is available for the vnode, + * but before it's hooked up to the namespace so that the node persists + * if there's a crash, or before it can be accessed. On successful + * commit of the label to disk (etc), do cache the label. + */ +int +vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) +{ + struct oldmac extmac; + int error; + + ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); + if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { + mac_update_vnode_from_mount(tvp, tvp->v_mount); + } else { + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + /* + * Stick the label in the vnode. Then try to write to + * disk. If we fail, return a failure to abort the + * create operation. Really, this failure shouldn't + * happen except in fairly unusual circumstances (out + * of disk, etc). + */ + mac_create_vnode(cred, dvp, tvp); + + error = mac_stdcreatevnode_ea(tvp); + if (error) + return (error); - error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); + /* + * XXX: Eventually this will go away and all policies will + * directly manage their extended attributes. + */ + error = mac_externalize_vnode_oldmac(&tvp->v_label, &extmac); + if (error) + return (error); - if (error == EOPNOTSUPP) - error = 0; /* XXX */ + error = vn_extattr_set(tvp, IO_NODELOCKED, + FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, + sizeof(extmac), (char *)&extmac, curthread); + if (error == 0) + tvp->v_vflag |= VV_CACHEDLABEL; + else { +#if 0 + /* + * In theory, we could have fall-back behavior here. + * It would probably be incorrect. + */ +#endif + return (error); + } + } - return (error); + return (0); } void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { + int error; ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); + error = vn_refreshlabel(vp, old); + if (error) { + printf("mac_execve_transition: vn_refreshlabel returned %d\n", + error); + printf("mac_execve_transition: using old vnode label\n"); + } + MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); } int mac_execve_will_transition(struct ucred *old, struct vnode *vp) { - int result; + int error, result; + + error = vn_refreshlabel(vp, old); + if (error) + return (error); result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); @@ -1907,6 +2098,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } @@ -1921,6 +2116,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } @@ -1935,6 +2134,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } @@ -1950,6 +2153,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); return (error); } @@ -1966,6 +2173,13 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); @@ -1982,6 +2196,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } @@ -1996,6 +2214,9 @@ if (!mac_enforce_process && !mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); return (error); @@ -2011,6 +2232,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } @@ -2026,6 +2251,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); @@ -2043,6 +2272,14 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); @@ -2059,6 +2296,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } @@ -2073,6 +2314,10 @@ if (!mac_enforce_fs || !mac_enforce_vm) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); return (error); } @@ -2103,6 +2348,10 @@ if (!mac_enforce_fs || !mac_enforce_vm) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); return (error); } @@ -2117,6 +2366,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); return (error); } @@ -2132,6 +2385,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, active_cred); + if (error) + return (error); + MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, &vp->v_label); @@ -2149,6 +2406,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, active_cred); + if (error) + return (error); + MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, &vp->v_label); @@ -2165,6 +2426,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } @@ -2179,6 +2444,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } @@ -2191,6 +2460,10 @@ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); return (error); @@ -2208,6 +2481,13 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); @@ -2225,6 +2505,14 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + if (vp != NULL) { + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + } MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); @@ -2240,6 +2528,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } @@ -2255,6 +2547,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } @@ -2270,6 +2566,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); @@ -2285,6 +2585,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } @@ -2299,6 +2603,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } @@ -2314,6 +2622,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } @@ -2329,6 +2641,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); @@ -2345,6 +2661,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, active_cred); + if (error) + return (error); + MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, &vp->v_label); return (error); @@ -2361,6 +2681,10 @@ if (!mac_enforce_fs) return (0); + error = vn_refreshlabel(vp, active_cred); + if (error) + return (error); + MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, &vp->v_label); @@ -3142,6 +3466,16 @@ &de->de_label); } +static int +mac_stdcreatevnode_ea(struct vnode *vp) +{ + int error; + + MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); + + return (error); +} + void mac_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *de) @@ -3158,10 +3492,18 @@ mac_create_vnode(struct ucred *cred, struct vnode *parent, struct vnode *child) { + int error; ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); ASSERT_VOP_LOCKED(child, "mac_create_vnode"); + error = vn_refreshlabel(parent, cred); + if (error) { + printf("mac_create_vnode: vn_refreshlabel returned %d\n", + error); + printf("mac_create_vnode: using old vnode label\n"); + } + MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, &child->v_label); } @@ -3262,19 +3604,35 @@ { struct vnode *vp = ap->a_vp; struct label *intlabel = ap->a_label; + struct oldmac extmac; int error; >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210090258.g992wiuL017887>