From owner-p4-projects  Sun Jul 28 20:48:27 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 0C42A37B401; Sun, 28 Jul 2002 20:48:00 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5D0A37B400
	for <perforce@freebsd.org>; Sun, 28 Jul 2002 20:47:59 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 163AB43E4A
	for <perforce@freebsd.org>; Sun, 28 Jul 2002 20:47:59 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6T3lwJU053215
	for <perforce@freebsd.org>; Sun, 28 Jul 2002 20:47:58 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6T3lwOY053207
	for perforce@freebsd.org; Sun, 28 Jul 2002 20:47:58 -0700 (PDT)
Date: Sun, 28 Jul 2002 20:47:58 -0700 (PDT)
Message-Id: <200207290347.g6T3lwOY053207@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 15098 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15098

Change 15098 by rwatson@rwatson_paprika on 2002/07/28 20:47:15

	Reorder vnode checks to match canonical mac_policy order to
	improve readability.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#63 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#63 (text+ko) ====

@@ -1088,6 +1088,200 @@
 }
 
 static int
+mac_te_check_vnode_access(struct ucred *cred, struct vnode *vp,
+    struct label *label, mode_t flags)
+{
+
+	return (mac_te_check_open_vnode(cred, vp, label, flags));
+}
+
+static int
+mac_te_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel)
+{
+
+	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHDIR));
+}
+
+static int
+mac_te_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel)
+{
+
+	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT));
+}
+
+static int
+mac_te_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+{
+
+	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE));
+}
+
+static int
+mac_te_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	int error;
+
+	error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
+	if (error)
+		return (error);
+	switch (vp->v_type) {
+	case VDIR:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
+	case VLNK:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
+	default:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
+	}
+}
+
+static int
+mac_te_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
+    struct label *label, acl_type_t type)
+{
+
+	switch (vp->v_type) {
+	case VDIR:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL));
+	case VLNK:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETEACL));
+	default:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL));
+	}
+}
+
+static int
+mac_te_check_exec_vnode(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+
+	return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+	    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC));
+}
+
+static int
+mac_te_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
+    struct label *label, acl_type_t type)
+{
+
+	switch (vp->v_type) {
+	case VDIR:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL));
+	case VLNK:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETACL));
+	default:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL));
+	}
+}
+
+static int
+mac_te_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
+    struct label *label, int attrnamespace, const char *name, struct uio *uio)
+{
+
+	switch (vp->v_type) {
+	case VDIR:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR));
+	case VLNK:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETEXTATTR));
+	default:
+		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
+		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR));
+	}
+}
+
+static int
+mac_te_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,   
+    struct label *dlabel, struct componentname *cnp)
+{
+ 
+	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
+	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP));
+}
+
+static vm_prot_t
+mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
+    struct label *label, int newmapping)
+{
+	struct mac_te *subj, *obj;
+	vm_prot_t prot = 0;
+
+	if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping))
+		return (VM_PROT_ALL);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	    MAC_TE_OPERATION_FILE_READ) == 0)
+		prot |= VM_PROT_READ;
+	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	    MAC_TE_OPERATION_FILE_EXEC) == 0)
+		prot |= VM_PROT_EXECUTE;
+	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
+	    MAC_TE_OPERATION_FILE_WRITE) == 0)
+		prot |= VM_PROT_WRITE;
+	return (prot);
+}
+
+static int
+mac_te_check_vnode_op(struct ucred *cred, struct vnode *vp,
+    struct label *label, int op)
+{
+	struct mac_te *subj, *obj;
+	int error, te_class, te_op;
+
+	if (!mac_te_revocation_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(label);
+
+	te_class = MAC_TE_CLASS_FILE;
+	switch (op) {
+	case MAC_OP_VNODE_POLL:
+		te_op = MAC_TE_OPERATION_FILE_POLL;
+		break;
+
+	case MAC_OP_VNODE_READ:
+		te_op = MAC_TE_OPERATION_FILE_READ;
+		break;
+
+	case MAC_OP_VNODE_WRITE:
+		te_op = MAC_TE_OPERATION_FILE_WRITE;
+		break;
+
+	default:
+		printf("mac_te_check_vnode_op: unknown operation %d\n",
+		    op);
+		return (EINVAL);
+	}
+
+	error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, te_op);
+
+	return (error);
+}
+
+static int
 mac_te_check_open_vnode(struct ucred *cred, struct vnode *vp,
     struct label *filelabel, mode_t acc_mode)
 {
@@ -1203,60 +1397,6 @@
 }
 
 static int
-mac_te_check_exec_vnode(struct ucred *cred, struct vnode *vp,
-    struct label *label)
-{
-
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-	    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC));
-}
-
-static int
-mac_te_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
-    struct label *label, acl_type_t type)
-{
-
-	switch (vp->v_type) {
-	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL));
-	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETACL));
-	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL));
-	}
-}
-
-static int
-mac_te_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
-    struct label *label, int attrnamespace, const char *name, struct uio *uio)
-{
-
-	switch (vp->v_type) {
-	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR));
-	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETEXTATTR));
-	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR));
-	}
-}
-
-static int
-mac_te_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,   
-    struct label *dlabel, struct componentname *cnp)
-{
- 
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP));
-}
-
-static int
 mac_te_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
     struct label *label)
 {
@@ -1371,83 +1511,6 @@
 }
 
 static int
-mac_te_check_vnode_access(struct ucred *cred, struct vnode *vp,
-    struct label *label, mode_t flags)
-{
-
-	return (mac_te_check_open_vnode(cred, vp, label, flags));
-}
-
-static int
-mac_te_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel)
-{
-
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHDIR));
-}
-
-static int
-mac_te_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel)
-{
-
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT));
-}
-
-static int
-mac_te_check_vnode_create(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel, struct componentname *cnp, struct vattr *vap)
-{
-
-	return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE));
-}
-
-static int
-mac_te_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel, struct vnode *vp, struct label *label,
-    struct componentname *cnp)
-{
-	int error;
-
-	error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel),
-	    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE);
-	if (error)
-		return (error);
-	switch (vp->v_type) {
-	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE));
-	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE));
-	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE));
-	}
-}
-
-static int
-mac_te_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
-    struct label *label, acl_type_t type)
-{
-
-	switch (vp->v_type) {
-	case VDIR:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL));
-	case VLNK:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETEACL));
-	default:
-		return (mac_te_check(SLOT(&cred->cr_label), SLOT(label),
-		    MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL));
-	}
-}
-
-static int
 mac_te_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct vnode *vp, struct label *label,
     struct componentname *cnp)
@@ -1567,69 +1630,6 @@
 	return (0);
 }
 
-static vm_prot_t
-mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
-    struct label *label, int newmapping)
-{
-	struct mac_te *subj, *obj;
-	vm_prot_t prot = 0;
-
-	if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping))
-		return (VM_PROT_ALL);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
-	    MAC_TE_OPERATION_FILE_READ) == 0)
-		prot |= VM_PROT_READ;
-	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
-	    MAC_TE_OPERATION_FILE_EXEC) == 0)
-		prot |= VM_PROT_EXECUTE;
-	if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE,
-	    MAC_TE_OPERATION_FILE_WRITE) == 0)
-		prot |= VM_PROT_WRITE;
-	return (prot);
-}
-
-static int
-mac_te_check_vnode_op(struct ucred *cred, struct vnode *vp,
-    struct label *label, int op)
-{
-	struct mac_te *subj, *obj;
-	int error, te_class, te_op;
-
-	if (!mac_te_revocation_enabled)
-		return (0);
-
-	subj = SLOT(&cred->cr_label);
-	obj = SLOT(label);
-
-	te_class = MAC_TE_CLASS_FILE;
-	switch (op) {
-	case MAC_OP_VNODE_POLL:
-		te_op = MAC_TE_OPERATION_FILE_POLL;
-		break;
-
-	case MAC_OP_VNODE_READ:
-		te_op = MAC_TE_OPERATION_FILE_READ;
-		break;
-
-	case MAC_OP_VNODE_WRITE:
-		te_op = MAC_TE_OPERATION_FILE_WRITE;
-		break;
-
-	default:
-		printf("mac_te_check_vnode_op: unknown operation %d\n",
-		    op);
-		return (EINVAL);
-	}
-
-	error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, te_op);
-
-	return (error);
-}
-
 static void
 mac_te_update_devfsdirent_from_vnode(struct devfs_dirent *devfs_dirent,
     struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message