From owner-p4-projects Sun Jul 21 13:11:37 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9097937B401; Sun, 21 Jul 2002 13:10:33 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24CBE37B400 for ; Sun, 21 Jul 2002 13:10:33 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 402AD43E64 for ; Sun, 21 Jul 2002 13:10:32 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6LKAWJU001901 for ; Sun, 21 Jul 2002 13:10:32 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6LKAVWR001898 for perforce@freebsd.org; Sun, 21 Jul 2002 13:10:31 -0700 (PDT) Date: Sun, 21 Jul 2002 13:10:31 -0700 (PDT) Message-Id: <200207212010.g6LKAVWR001898@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 14627 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14627 Change 14627 by rwatson@rwatson_curry on 2002/07/21 13:09:39 Rename mac_cred_check_search_vnode() to mac_cred_check_lookup_vnode() to be more consistent with the name of the service that we are protecting. A bit of whitespace cleanup also. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#181 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_lookup.c#15 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#58 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#37 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#46 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#39 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#41 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#9 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#9 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#115 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#78 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#181 (text+ko) ==== @@ -550,6 +550,10 @@ mpc->mpc_ops->mpo_cred_check_listen_socket = mpe->mpe_function; break; + case MAC_CRED_CHECK_LOOKUP_VNODE: + mpc->mpc_ops->mpo_cred_check_lookup_vnode = + mpe->mpe_function; + break; case MAC_CRED_CHECK_OPEN_VNODE: mpc->mpc_ops->mpo_cred_check_open_vnode = mpe->mpe_function; @@ -574,10 +578,6 @@ mpc->mpc_ops->mpo_cred_check_revoke_vnode = mpe->mpe_function; break; - case MAC_CRED_CHECK_SEARCH_VNODE: - mpc->mpc_ops->mpo_cred_check_search_vnode = - mpe->mpe_function; - break; case MAC_CRED_CHECK_SETACL_VNODE: mpc->mpc_ops->mpo_cred_check_setacl_vnode = mpe->mpe_function; @@ -1669,6 +1669,24 @@ } int +mac_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp) +{ + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_cred_check_lookup_vnode"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + MAC_CHECK(cred_check_lookup_vnode, cred, dvp, &dvp->v_label); + return (error); +} + +int mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; @@ -1741,24 +1759,6 @@ } int -mac_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_cred_check_search_vnode"); - - if (!mac_enforce_fs) - return (0); - - error = vn_refreshlabel(dvp, cred); - if (error) - return (error); - - MAC_CHECK(cred_check_search_vnode, cred, dvp, &dvp->v_label); - return (error); -} - -int mac_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_lookup.c#15 (text+ko) ==== @@ -570,10 +570,10 @@ unionlookup: #ifdef MAC /* - * Execute MAC search policy check here, in the heart of all + * Execute MAC lookup policy check here, in the heart of all * "sanctioned" lookup operations. */ - error = mac_cred_check_search_vnode(td->td_ucred, dp); + error = mac_cred_check_lookup_vnode(td->td_ucred, dp); if (error) goto bad; #endif /* MAC */ ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#58 (text+ko) ==== @@ -1469,6 +1469,24 @@ } static int +mac_biba_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(dlabel); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode) { @@ -1596,24 +1614,6 @@ } static int -mac_biba_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp, - struct label *dlabel) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(dlabel); - - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - - return (0); -} - -static int mac_biba_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { @@ -1727,42 +1727,42 @@ static int mac_biba_cred_check_sched_proc(struct ucred *cred, struct proc *proc) { - struct mac_biba *subj, *obj; + struct mac_biba *subj, *obj; - if (!mac_biba_enabled) - return (0); + if (!mac_biba_enabled) + return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); - /* XXX: range checks */ - if (!mac_biba_dominate_single(obj, subj)) - return (ESRCH); - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); + /* XXX: range checks */ + if (!mac_biba_dominate_single(obj, subj)) + return (ESRCH); + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); - return (0); + return (0); } static int mac_biba_cred_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) { - struct mac_biba *subj, *obj; + struct mac_biba *subj, *obj; - if (!mac_biba_enabled) - return (0); + if (!mac_biba_enabled) + return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); - /* XXX: range checks */ - if (!mac_biba_dominate_single(obj, subj)) - return (ESRCH); - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); + /* XXX: range checks */ + if (!mac_biba_dominate_single(obj, subj)) + return (ESRCH); + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); - return (0); + return (0); } static int @@ -1971,6 +1971,8 @@ (macop_t)mac_biba_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_biba_cred_check_getextattr_vnode }, + { MAC_CRED_CHECK_LOOKUP_VNODE, + (macop_t)mac_biba_cred_check_lookup_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, (macop_t)mac_biba_cred_check_open_vnode }, { MAC_CRED_CHECK_READDIR_VNODE, @@ -1983,8 +1985,6 @@ (macop_t)mac_biba_cred_check_rename_to_vnode }, { MAC_CRED_CHECK_REVOKE_VNODE, (macop_t)mac_biba_cred_check_revoke_vnode }, - { MAC_CRED_CHECK_SEARCH_VNODE, - (macop_t)mac_biba_cred_check_search_vnode }, { MAC_CRED_CHECK_SETACL_VNODE, (macop_t)mac_biba_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#37 (text+ko) ==== @@ -442,6 +442,22 @@ } static int +mac_bsdextended_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(dvp, &vap, cred, curthread); + if (error) + return (error); + return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); +} + +static int mac_bsdextended_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) { @@ -559,22 +575,6 @@ } static int -mac_bsdextended_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp, - struct label *dlabel) -{ - struct vattr vap; - int error; - - if (!mac_bsdextended_enabled) - return (0); - - error = VOP_GETATTR(dvp, &vap, cred, curthread); - if (error) - return (error); - return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); -} - -static int mac_bsdextended_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { @@ -771,6 +771,8 @@ (macop_t)mac_bsdextended_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_bsdextended_cred_check_getextattr_vnode }, + { MAC_CRED_CHECK_LOOKUP_VNODE, + (macop_t)mac_bsdextended_cred_check_lookup_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, (macop_t)mac_bsdextended_cred_check_open_vnode }, { MAC_CRED_CHECK_READDIR_VNODE, @@ -783,8 +785,6 @@ (macop_t)mac_bsdextended_cred_check_rename_to_vnode }, { MAC_CRED_CHECK_REVOKE_VNODE, (macop_t)mac_bsdextended_cred_check_revoke_vnode }, - { MAC_CRED_CHECK_SEARCH_VNODE, - (macop_t)mac_bsdextended_cred_check_search_vnode }, { MAC_CRED_CHECK_SETACL_VNODE, (macop_t)mac_bsdextended_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#46 (text+ko) ==== @@ -1412,6 +1412,24 @@ } static int +mac_mls_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(dlabel); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode) { @@ -1539,24 +1557,6 @@ } static int -mac_mls_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp, - struct label *dlabel) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(dlabel); - - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - - return (0); -} - -static int mac_mls_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { @@ -1670,42 +1670,42 @@ static int mac_mls_cred_check_sched_proc(struct ucred *cred, struct proc *proc) { - struct mac_mls *subj, *obj; + struct mac_mls *subj, *obj; - if (!mac_mls_enabled) - return (0); + if (!mac_mls_enabled) + return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); - /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) - return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); + /* XXX: range checks */ + if (!mac_mls_dominate_single(subj, obj)) + return (ESRCH); + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); - return (0); + return (0); } static int mac_mls_cred_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) { - struct mac_mls *subj, *obj; + struct mac_mls *subj, *obj; - if (!mac_mls_enabled) - return (0); + if (!mac_mls_enabled) + return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); - /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) - return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); + /* XXX: range checks */ + if (!mac_mls_dominate_single(subj, obj)) + return (ESRCH); + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); - return (0); + return (0); } static int @@ -1914,6 +1914,8 @@ (macop_t)mac_mls_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_mls_cred_check_getextattr_vnode }, + { MAC_CRED_CHECK_LOOKUP_VNODE, + (macop_t)mac_mls_cred_check_lookup_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, (macop_t)mac_mls_cred_check_open_vnode }, { MAC_CRED_CHECK_READDIR_VNODE, @@ -1926,8 +1928,6 @@ (macop_t)mac_mls_cred_check_rename_to_vnode }, { MAC_CRED_CHECK_REVOKE_VNODE, (macop_t)mac_mls_cred_check_revoke_vnode }, - { MAC_CRED_CHECK_SEARCH_VNODE, - (macop_t)mac_mls_cred_check_search_vnode }, { MAC_CRED_CHECK_SETACL_VNODE, (macop_t)mac_mls_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#39 (text+ko) ==== @@ -676,6 +676,14 @@ } static int +mac_none_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + + return (0); +} + +static int mac_none_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) { @@ -724,14 +732,6 @@ } static int -mac_none_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp, - struct label *dlabel) -{ - - return (0); -} - -static int mac_none_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { @@ -984,6 +984,8 @@ (macop_t)mac_none_cred_check_getextattr_vnode }, { MAC_CRED_CHECK_LISTEN_SOCKET, (macop_t)mac_none_cred_check_listen_socket }, + { MAC_CRED_CHECK_LOOKUP_VNODE, + (macop_t)mac_none_cred_check_lookup_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, (macop_t)mac_none_cred_check_open_vnode }, { MAC_CRED_CHECK_READDIR_VNODE, @@ -996,8 +998,6 @@ (macop_t)mac_none_cred_check_rename_to_vnode }, { MAC_CRED_CHECK_REVOKE_VNODE, (macop_t)mac_none_cred_check_revoke_vnode }, - { MAC_CRED_CHECK_SEARCH_VNODE, - (macop_t)mac_none_cred_check_search_vnode }, { MAC_CRED_CHECK_SETACL_VNODE, (macop_t)mac_none_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#41 (text+ko) ==== @@ -1167,6 +1167,15 @@ } static int +mac_te_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + + return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), + MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP)); +} + +static int mac_te_cred_check_revoke_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1176,15 +1185,6 @@ } static int -mac_te_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp, - struct label *dlabel) -{ - - return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP)); -} - -static int mac_te_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { @@ -1529,26 +1529,26 @@ static struct mac_policy_op_entry mac_te_ops[] = { - { MAC_INIT_BPFDESC, (macop_t)mac_te_init_bpfdesc }, - { MAC_INIT_DEVFSDIRENT, (macop_t)mac_te_init_devfsdirent }, - { MAC_INIT_IFNET, (macop_t)mac_te_init_ifnet }, - { MAC_INIT_IPQ, (macop_t)mac_te_init_ipq }, - { MAC_INIT_MBUF, (macop_t)mac_te_init_mbuf }, - { MAC_INIT_MOUNT, (macop_t)mac_te_init_mount }, - { MAC_INIT_SOCKET, (macop_t)mac_te_init_socket }, - { MAC_INIT_SUBJECT, (macop_t)mac_te_init_subject }, - { MAC_INIT_TEMP, (macop_t)mac_te_init_temp }, - { MAC_INIT_VNODE, (macop_t)mac_te_init_vnode }, - { MAC_DESTROY_BPFDESC, (macop_t)mac_te_destroy_bpfdesc }, - { MAC_DESTROY_DEVFSDIRENT, (macop_t)mac_te_destroy_devfsdirent }, - { MAC_DESTROY_IFNET, (macop_t)mac_te_destroy_ifnet }, - { MAC_DESTROY_IPQ, (macop_t)mac_te_destroy_ipq }, - { MAC_DESTROY_MBUF, (macop_t)mac_te_destroy_mbuf }, - { MAC_DESTROY_MOUNT, (macop_t)mac_te_destroy_mount }, - { MAC_DESTROY_SOCKET, (macop_t)mac_te_destroy_socket }, - { MAC_DESTROY_SUBJECT, (macop_t)mac_te_destroy_subject }, - { MAC_DESTROY_TEMP, (macop_t)mac_te_destroy_temp }, - { MAC_DESTROY_VNODE, (macop_t)mac_te_destroy_vnode }, + { MAC_INIT_BPFDESC, (macop_t)mac_te_init_bpfdesc }, + { MAC_INIT_DEVFSDIRENT, (macop_t)mac_te_init_devfsdirent }, + { MAC_INIT_IFNET, (macop_t)mac_te_init_ifnet }, + { MAC_INIT_IPQ, (macop_t)mac_te_init_ipq }, + { MAC_INIT_MBUF, (macop_t)mac_te_init_mbuf }, + { MAC_INIT_MOUNT, (macop_t)mac_te_init_mount }, + { MAC_INIT_SOCKET, (macop_t)mac_te_init_socket }, + { MAC_INIT_SUBJECT, (macop_t)mac_te_init_subject }, + { MAC_INIT_TEMP, (macop_t)mac_te_init_temp }, + { MAC_INIT_VNODE, (macop_t)mac_te_init_vnode }, + { MAC_DESTROY_BPFDESC, (macop_t)mac_te_destroy_bpfdesc }, + { MAC_DESTROY_DEVFSDIRENT, (macop_t)mac_te_destroy_devfsdirent }, + { MAC_DESTROY_IFNET, (macop_t)mac_te_destroy_ifnet }, + { MAC_DESTROY_IPQ, (macop_t)mac_te_destroy_ipq }, + { MAC_DESTROY_MBUF, (macop_t)mac_te_destroy_mbuf }, + { MAC_DESTROY_MOUNT, (macop_t)mac_te_destroy_mount }, + { MAC_DESTROY_SOCKET, (macop_t)mac_te_destroy_socket }, + { MAC_DESTROY_SUBJECT, (macop_t)mac_te_destroy_subject }, + { MAC_DESTROY_TEMP, (macop_t)mac_te_destroy_temp }, + { MAC_DESTROY_VNODE, (macop_t)mac_te_destroy_vnode }, { MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_te_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_te_create_devfs_directory }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_te_create_devfs_vnode }, @@ -1629,6 +1629,8 @@ (macop_t)mac_te_cred_check_getacl_vnode }, { MAC_CRED_CHECK_GETEXTATTR_VNODE, (macop_t)mac_te_cred_check_getextattr_vnode }, + { MAC_CRED_CHECK_LOOKUP_VNODE, + (macop_t)mac_te_cred_check_lookup_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, (macop_t)mac_te_cred_check_open_vnode }, { MAC_CRED_CHECK_READDIR_VNODE, (macop_t)mac_te_cred_check_readdir_vnode }, @@ -1640,8 +1642,6 @@ (macop_t)mac_te_cred_check_rename_to_vnode }, { MAC_CRED_CHECK_REVOKE_VNODE, (macop_t)mac_te_cred_check_revoke_vnode }, - { MAC_CRED_CHECK_SEARCH_VNODE, - (macop_t)mac_te_cred_check_search_vnode }, { MAC_CRED_CHECK_SETACL_VNODE, (macop_t)mac_te_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#9 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#9 (text+ko) ==== @@ -869,6 +869,14 @@ } static int +mac_test_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, + struct label *dlabel) +{ + + return (0); +} + +static int mac_test_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) { @@ -917,14 +925,6 @@ } static int -mac_test_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp, - struct label *dlabel) -{ - - return (0); -} - -static int mac_test_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { @@ -1175,6 +1175,8 @@ (macop_t)mac_test_cred_check_getextattr_vnode }, { MAC_CRED_CHECK_LISTEN_SOCKET, (macop_t)mac_test_cred_check_listen_socket }, + { MAC_CRED_CHECK_LOOKUP_VNODE, + (macop_t)mac_test_cred_check_lookup_vnode }, { MAC_CRED_CHECK_OPEN_VNODE, (macop_t)mac_test_cred_check_open_vnode }, { MAC_CRED_CHECK_READDIR_VNODE, @@ -1187,8 +1189,6 @@ (macop_t)mac_test_cred_check_rename_to_vnode }, { MAC_CRED_CHECK_REVOKE_VNODE, (macop_t)mac_test_cred_check_revoke_vnode }, - { MAC_CRED_CHECK_SEARCH_VNODE, - (macop_t)mac_test_cred_check_search_vnode }, { MAC_CRED_CHECK_SETACL_VNODE, (macop_t)mac_test_cred_check_setacl_vnode }, { MAC_CRED_CHECK_SETEXTATTR_VNODE, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#115 (text+ko) ==== @@ -260,7 +260,7 @@ int attrnamespace, const char *name, struct uio *uio); int mac_cred_check_listen_socket(struct ucred *cred, struct socket *socket); -int mac_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp); +int mac_cred_check_lookup_vnode(struct ucred *cred, struct vnode *dvp); int mac_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); int mac_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#78 (text+ko) ==== @@ -271,6 +271,8 @@ int attrnamespace, const char *name, struct uio *uio); int (*mpo_cred_check_listen_socket)(struct ucred *cred, struct socket *socket, struct label *socketlabel); + int (*mpo_cred_check_lookup_vnode)(struct ucred *cred, + struct vnode *dvp, struct label *dlabel); int (*mpo_cred_check_open_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); @@ -286,8 +288,6 @@ struct vnode *vp, struct label *label, int samedir); int (*mpo_cred_check_revoke_vnode)(struct ucred *cred, struct vnode *vp, struct label *label); - int (*mpo_cred_check_search_vnode)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel); int (*mpo_cred_check_setacl_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl); @@ -406,13 +406,13 @@ MAC_CRED_CHECK_GETACL_VNODE, MAC_CRED_CHECK_GETEXTATTR_VNODE, MAC_CRED_CHECK_LISTEN_SOCKET, + MAC_CRED_CHECK_LOOKUP_VNODE, MAC_CRED_CHECK_OPEN_VNODE, MAC_CRED_CHECK_READDIR_VNODE, MAC_CRED_CHECK_READLINK_VNODE, MAC_CRED_CHECK_RENAME_FROM_VNODE, MAC_CRED_CHECK_RENAME_TO_VNODE, MAC_CRED_CHECK_REVOKE_VNODE, - MAC_CRED_CHECK_SEARCH_VNODE, MAC_CRED_CHECK_SETACL_VNODE, MAC_CRED_CHECK_SETEXTATTR_VNODE, MAC_CRED_CHECK_SETFLAGS_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message