Date: Fri, 19 Jul 2002 21:08:21 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14500 for review Message-ID: <200207200408.g6K48LoH017142@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14500 Change 14500 by rwatson@rwatson_curry on 2002/07/19 21:07:37 Entry point to authorize chroot(). No policy implementations yet. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#174 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#49 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#111 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#72 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#174 (text+ko) ==== @@ -514,6 +514,10 @@ mpc->mpc_ops.mpo_cred_check_chdir_vnode = mpe->mpe_function; break; + case MAC_CRED_CHECK_CHROOT_VNODE: + mpc->mpc_ops.mpo_cred_check_chroot_vnode = + mpe->mpe_function; + break; case MAC_CRED_CHECK_CREATE_VNODE: mpc->mpc_ops.mpo_cred_check_create_vnode = mpe->mpe_function; @@ -1556,6 +1560,24 @@ } int +mac_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp) +{ + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_cred_check_chroot_vnode"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + MAC_CHECK(cred_check_chroot_vnode, cred, dvp, &dvp->v_label); + return (error); +} + +int mac_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct vattr *vap) { ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#49 (text+ko) ==== @@ -1600,7 +1600,15 @@ NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); #ifdef MAC - /* XXXMAC: MAC check for chroot here. */ + if ((error = mac_cred_check_chroot_vnode(td->td_ucred, nd.ni_vp))) { + /* + * XXX: Release of namei() structures may be wrong here + * and below in existing code. + */ + FILEDESC_UNLOCK(fdp); + vput(nd.ni_vp); + return (error); + } #endif if ((error = change_dir(&nd, td)) != 0) return (error); ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#111 (text+ko) ==== @@ -247,6 +247,7 @@ int mac_cred_check_bind_socket(struct ucred *cred, struct socket *so, struct sockaddr *sa); int mac_cred_check_chdir_vnode(struct ucred *cred, struct vnode *dvp); +int mac_cred_check_chroot_vnode(struct ucred *cred, struct vnode *dvp); int mac_cred_check_connect_socket(struct ucred *cred, struct socket *so, struct sockaddr *sa); int mac_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#72 (text+ko) ==== @@ -252,6 +252,8 @@ struct vnode *vp, struct label *label, int flags); int (*mpo_cred_check_chdir_vnode)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); + int (*mpo_cred_check_chroot_vnode)(struct ucred *cred, + struct vnode *dvp, struct label *dlabel); int (*mpo_cred_check_create_vnode)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vattr *vap); @@ -391,6 +393,7 @@ MAC_CRED_CHECK_DEBUG_PROC, MAC_CRED_CHECK_ACCESS_VNODE, MAC_CRED_CHECK_CHDIR_VNODE, + MAC_CRED_CHECK_CHROOT_VNODE, MAC_CRED_CHECK_CONNECT_SOCKET, MAC_CRED_CHECK_CREATE_VNODE, MAC_CRED_CHECK_DELETE_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207200408.g6K48LoH017142>