Date: Wed, 18 Sep 2002 15:05:59 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 17671 for review Message-ID: <200209182205.g8IM5xlQ087326@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=17671 Change 17671 by rwatson@rwatson_paprika on 2002/09/18 15:05:04 mac_check_vnode_link() check. Note that since vp isn't yet locked in kern_link() as dl's patch hasn't been committed yet, we don't currently provide access to the target vnode label. We will do once that is committed and the locking protocol is updated. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#268 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#82 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#160 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#124 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#268 (text+ko) ==== @@ -888,6 +888,10 @@ mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -2164,6 +2168,44 @@ } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, + struct componentname *cnp) +{ + int error; + + /* + * XXXMAC: Currently, vp is not locked. When it is locked, we'll + * provide it as the link argument. + */ + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); +#if 0 + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_lookup"); +#endif + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + +#if 0 + error = vn_refreshlabel(vp, cred); + if (error) + return (error); +#endif + +#if 0 + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); +#else + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, NULL, NULL, + cnp); +#endif + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#82 (text+ko) ==== @@ -1041,7 +1041,13 @@ } else { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); - error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); +#ifdef MAC + /* XXXMAC: link check */ + error = mac_check_vnode_link(td->td_ucred, nd.ni_dvp, + vp, &nd.ni_cnd); + if (error == 0) +#endif + error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); } NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_dvp); ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#160 (text+ko) ==== @@ -357,6 +357,8 @@ acl_type_t type); int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); +int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp); int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); /* XXX This u_char should be vm_prot_t! */ ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#124 (text+ko) ==== @@ -330,6 +330,9 @@ int (*mpo_check_vnode_getextattr)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); + int (*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, + struct label *label, struct componentname *cnp); int (*mpo_check_vnode_lookup)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp); @@ -502,6 +505,7 @@ MAC_CHECK_VNODE_EXEC, MAC_CHECK_VNODE_GETACL, MAC_CHECK_VNODE_GETEXTATTR, + MAC_CHECK_VNODE_LINK, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, MAC_CHECK_VNODE_OPEN, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209182205.g8IM5xlQ087326>