From owner-p4-projects@FreeBSD.ORG Sat Jul 8 13:05:51 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 47B9716A4E1; Sat, 8 Jul 2006 13:05:51 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F300916A4DF for ; Sat, 8 Jul 2006 13:05:50 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BDD743D67 for ; Sat, 8 Jul 2006 13:05:50 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k68D5oXA008104 for ; Sat, 8 Jul 2006 13:05:50 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k68D5o1S008092 for perforce@freebsd.org; Sat, 8 Jul 2006 13:05:50 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sat, 8 Jul 2006 13:05:50 GMT Message-Id: <200607081305.k68D5o1S008092@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 100991 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 13:05:51 -0000 http://perforce.freebsd.org/chv.cgi?CH=100991 Change 100991 by rwatson@rwatson_zoo on 2006/07/08 13:05:00 Rename. Affected files ... .. //depot/projects/trustedbsd/mac2/sys/security/mac_bsdextended/mac_bsdextended.c#2 edit Differences ... ==== //depot/projects/trustedbsd/mac2/sys/security/mac_bsdextended/mac_bsdextended.c#2 (text+ko) ==== @@ -2,6 +2,7 @@ * Copyright (c) 2005 Tom Rhodes * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -234,7 +238,7 @@ CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules"); static void -mac_bsdextended_init(struct mac_policy_conf *mpc) +mac_bsdextended_policy_init(struct mac_policy_conf *mpc) { /* Initialize ruleset lock. */ @@ -244,7 +248,7 @@ } static void -mac_bsdextended_destroy(struct mac_policy_conf *mpc) +mac_bsdextended_policy_destroy(struct mac_policy_conf *mpc) { /* Destroy ruleset lock. */ @@ -503,7 +507,7 @@ } static int -mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -511,7 +515,7 @@ } static int -mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) { @@ -519,7 +523,7 @@ } static int -mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { @@ -527,7 +531,7 @@ } static int -mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { @@ -543,21 +547,7 @@ } static int -mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp, - struct label *dlabel, struct vnode *vp, struct label *label, - struct componentname *cnp) -{ - int error; - - error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); - if (error) - return (error); - - return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); -} - -static int -mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { @@ -565,7 +555,7 @@ } static int -mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name) { @@ -573,7 +563,7 @@ } static int -mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) { @@ -582,7 +572,7 @@ } static int -mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { @@ -590,7 +580,7 @@ } static int -mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -598,7 +588,7 @@ } static int -mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { @@ -615,7 +605,7 @@ } static int -mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace) { @@ -623,7 +613,7 @@ } static int -mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -631,7 +621,7 @@ } static int -mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, int acc_mode) { @@ -639,7 +629,7 @@ } static int -mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { @@ -647,7 +637,7 @@ } static int -mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -655,7 +645,7 @@ } static int -mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, struct componentname *cnp) { @@ -670,7 +660,7 @@ } static int -mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label, int samedir, struct componentname *cnp) { @@ -687,7 +677,7 @@ } static int -mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -703,7 +693,7 @@ } static int -mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { @@ -711,7 +701,7 @@ } static int -mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags) { @@ -719,7 +709,7 @@ } static int -mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode) { @@ -727,7 +717,7 @@ } static int -mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid) { @@ -735,7 +725,7 @@ } static int -mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec utime) { @@ -743,44 +733,58 @@ } static int -mac_bsdextended_check_vnode_stat(struct ucred *active_cred, +mac_bsdextended_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT)); } +static int +mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, struct label *label, + struct componentname *cnp) +{ + int error; + + error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); + if (error) + return (error); + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); +} + static struct mac_policy_ops mac_bsdextended_ops = { - .mpo_destroy = mac_bsdextended_destroy, - .mpo_init = mac_bsdextended_init, - .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, - .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, - .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot, - .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, - .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete, - .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, - .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, - .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, - .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, - .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, - .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink, - .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode, - .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat, + .mpo_policy_destroy = mac_bsdextended_policy_destroy, + .mpo_policy_init = mac_bsdextended_policy_init, + .mpo_system_check_swapon = mac_bsdextended_system_check_swapon, + .mpo_vnode_check_access = mac_bsdextended_vnode_check_access, + .mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot, + .mpo_vnode_check_create = mac_bsdextended_check_create_vnode, + .mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec, + .mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr, + .mpo_vnode_check_link = mac_bsdextended_vnode_check_link, + .mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup, + .mpo_vnode_check_open = mac_bsdextended_vnode_check_open, + .mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink, + .mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode, + .mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat, + .mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink, }; MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,