Date: Tue, 3 Sep 2002 10:35:23 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 16999 for review Message-ID: <200209031735.g83HZN13060122@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16999 Change 16999 by cvance@cvance_laptop on 2002/09/03 10:35:10 Fix bugs that prevented compilation Add a few more permission checks Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#24 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#24 (text+ko) ==== @@ -306,7 +306,7 @@ SLOT(label) = NULL; } -static inline security_class_t +static __inline security_class_t vnode_mode_to_security_class(struct vnode *vp) { switch (vp->v_type) { @@ -324,11 +324,11 @@ return SECCLASS_SOCK_FILE; case VFIFO: return SECCLASS_FIFO_FILE; + case VNON: + case VBAD: + return SECCLASS_FILE; } - /* - * VNON and VBAD - */ return SECCLASS_FILE; } @@ -501,11 +501,12 @@ sebsd_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vattr *vap) { - /* TBD: Not Implemented */ - struct vnode_security_struct *file, *dir; + struct task_security_struct *task; + struct vnode_security_struct *dir; - file = SLOT(&cred->cr_label); + task = SLOT(&cred->cr_label); dir = SLOT(dlabel); + /* TBD: Not Implemented */ return 0; } @@ -589,8 +590,7 @@ struct label *label, int attrnamespace, const char *name, struct uio *uio) { - /* TBD: Not Implemented */ - return 0; + return vnode_has_perm(cred, vp, FILE__GETATTR, NULL); } static int @@ -637,15 +637,37 @@ sebsd_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *label) { - /* TBD: Not Implemented */ - return 0; + return vnode_has_perm(cred, vp, FILE__READ, NULL); } static int sebsd_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *oldlabel, struct label *newlabel) { - /* TBD: Not Implemented */ + struct task_security_struct *task; + struct vnode_security_struct *old, *new; + int rc; + + task = SLOT(&cred->cr_label); + old = SLOT(oldlabel); + new = SLOT(oldlabel); + + /* TBD: audit? */ + rc = avc_has_perm_ref(task->sid, old->sid, old->sclass, + FILE__RELABELFROM, &old->avcr); + if (rc) + return (rc); + + rc = avc_has_perm(task->sid, new->sid, old->sclass, FILE__RELABELTO); + + if (rc) + return (rc); + /* + * TBD: + * SELinux also checks the superblock for class SECCLASS_FILESYSTEM + * and permission FILESYSTEM__ASSOCIATE + */ + return 0; } @@ -655,7 +677,7 @@ struct label *label) { struct task_security_struct *task; - struct vnode_security_struct *old_dir, old_file; + struct vnode_security_struct *old_dir, *old_file; int rc; task = SLOT(&cred->cr_label); @@ -665,7 +687,7 @@ /* TBD: audit data? */ rc = avc_has_perm_ref(task->sid, old_dir->sid, SECCLASS_DIR, DIR__REMOVE_NAME | DIR__SEARCH, - old_dirsec->avcr); + &old_dir->avcr); if (rc) return (rc); rc = avc_has_perm_ref(task->sid, old_file->sid, old_file->sclass, @@ -682,7 +704,7 @@ struct label *label, int samedir) { struct task_security_struct *task; - struct vnode_security_struct *new_dir, new_file; + struct vnode_security_struct *new_dir, *new_file; access_vector_t av; int rc; @@ -752,8 +774,7 @@ struct label *label, int attrnamespace, const char *name, struct uio *uio) { - /* TBD: Not Implemented */ - return 0; + return vnode_has_perm(cred, vp, FILE__SETATTR, NULL); } static int To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209031735.g83HZN13060122>