Date: Mon, 20 Oct 2003 18:38:00 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 40055 for review Message-ID: <200310210138.h9L1c00J012768@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=40055 Change 40055 by rwatson@rwatson_tislabs on 2003/10/20 18:37:44 Move file system related MAC entry point and infrastructure code from kern_mac.c to mac_fs.c. The split of exec and VM functionality will probably require some refinement. Affected files ... .. //depot/projects/trustedbsd/mac/sys/conf/files#90 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#418 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_fs.c#2 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#6 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/conf/files#90 (text+ko) ==== @@ -1588,6 +1588,7 @@ posix4/p1003_1b.c standard posix4/posix4_mib.c standard kern/uipc_sem.c optional p1003_1b_semaphores +security/mac/mac_fs.c optional mac security/mac/mac_net.c optional mac security/mac/mac_pipe.c optional mac security/mac/mac_posix_sem.c optional mac ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#418 (text+ko) ==== @@ -116,12 +116,6 @@ int mac_late = 0; /* - * Warn about EA transactions only the first time they happen. - * Weak coherency, no locking. - */ -static int ea_warn_once = 0; - -/* * Flag to indicate whether or not we should allocate label storage for * new mbufs. Since most dynamic policies we currently work with don't * rely on mbuf labeling, try to avoid paying the cost of mtag allocation @@ -136,12 +130,7 @@ int mac_labelmbufs = 0; #endif -static int mac_enforce_fs = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, - &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); -TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); - -static int mac_enforce_process = 1; +int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); @@ -175,34 +164,22 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, "TrustedBSD MAC object counters"); -static unsigned int nmaccreds, nmacmounts, nmactemp, nmacvnodes, - nmacdevfsdirents, nmacprocs; +static unsigned int nmaccreds, nmactemp, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, &nmaccreds, 0, "number of ucreds in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, &nmacprocs, 0, "number of procs in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, - &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, &nmactemp, 0, "number of temporary labels in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD, - &nmacvnodes, 0, "number of vnodes in use"); -SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, - &nmacdevfsdirents, 0, "number of devfs dirents inuse"); #endif static int mac_policy_register(struct mac_policy_conf *mpc); static int mac_policy_unregister(struct mac_policy_conf *mpc); -static void mac_check_vnode_mmap_downgrade(struct ucred *cred, - struct vnode *vp, int *prot); static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); -static int mac_setlabel_vnode_extattr(struct ucred *cred, - struct vnode *vp, struct label *intlabel); - MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); /* @@ -615,26 +592,6 @@ } void -mac_init_devfsdirent(struct devfs_dirent *de) -{ - - mac_init_label(&de->de_label); - MAC_PERFORM(init_devfsdirent_label, &de->de_label); - MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents); -} - -void -mac_init_mount(struct mount *mp) -{ - - mac_init_label(&mp->mnt_mntlabel); - mac_init_label(&mp->mnt_fslabel); - MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); - MAC_DEBUG_COUNTER_INC(&nmacmounts); -} - -void mac_init_proc(struct proc *p) { @@ -643,22 +600,6 @@ MAC_DEBUG_COUNTER_INC(&nmacprocs); } -void -mac_init_vnode_label(struct label *label) -{ - - mac_init_label(label); - MAC_PERFORM(init_vnode_label, label); - MAC_DEBUG_COUNTER_INC(&nmacvnodes); -} - -void -mac_init_vnode(struct vnode *vp) -{ - - mac_init_vnode_label(&vp->v_label); -} - static void mac_destroy_cred_label(struct label *label) { @@ -676,26 +617,6 @@ } void -mac_destroy_devfsdirent(struct devfs_dirent *de) -{ - - MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); - mac_destroy_label(&de->de_label); - MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); -} - -void -mac_destroy_mount(struct mount *mp) -{ - - MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_mntlabel); - MAC_DEBUG_COUNTER_DEC(&nmacmounts); -} - -void mac_destroy_proc(struct proc *p) { @@ -704,29 +625,6 @@ MAC_DEBUG_COUNTER_DEC(&nmacprocs); } -void -mac_destroy_vnode_label(struct label *label) -{ - - MAC_PERFORM(destroy_vnode_label, label); - mac_destroy_label(label); - MAC_DEBUG_COUNTER_DEC(&nmacvnodes); -} - -void -mac_destroy_vnode(struct vnode *vp) -{ - - mac_destroy_vnode_label(&vp->v_label); -} - -void -mac_copy_vnode_label(struct label *src, struct label *dest) -{ - - MAC_PERFORM(copy_vnode_label, src, dest); -} - int mac_check_structmac_consistent(struct mac *mac) { @@ -750,17 +648,6 @@ } static int -mac_externalize_vnode_label(struct label *label, char *elements, - char *outbuf, size_t outbuflen, int flags) -{ - int error; - - MAC_EXTERNALIZE(vnode_label, label, elements, outbuf, outbuflen); - - return (error); -} - -static int mac_internalize_cred_label(struct label *label, char *string) { int error; @@ -770,16 +657,6 @@ return (error); } -static int -mac_internalize_vnode_label(struct label *label, char *string) -{ - int error; - - MAC_INTERNALIZE(vnode_label, label, string); - - return (error); -} - /* * Initialize MAC label for the first kernel process, from which other * kernel processes and threads are spawned. @@ -821,115 +698,6 @@ MAC_PERFORM(create_cred, parent_cred, child_cred); } -void -mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de, - struct vnode *vp) -{ - - MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp, - &vp->v_label); -} - -void -mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, - struct vnode *vp) -{ - - MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de, - &de->de_label, vp, &vp->v_label); -} - -int -mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); - - MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp, - &vp->v_label); - - return (error); -} - -void -mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) -{ - - MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp, - &vp->v_label); -} - -int -mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct vnode *dvp, struct vnode *vp, struct componentname *cnp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr"); - ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr"); - - error = VOP_OPENEXTATTR(vp, cred, curthread); - if (error == EOPNOTSUPP) { - /* XXX: Optionally abort if transactions not supported. */ - if (ea_warn_once == 0) { - printf("Warning: transactions not supported " - "in EA write.\n"); - ea_warn_once = 1; - } - } else if (error) - return (error); - - MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel, - dvp, &dvp->v_label, vp, &vp->v_label, cnp); - - if (error) { - VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); - return (error); - } - - error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); - - if (error == EOPNOTSUPP) - error = 0; /* XXX */ - - return (error); -} - -static int -mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, - struct label *intlabel) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr"); - - error = VOP_OPENEXTATTR(vp, cred, curthread); - if (error == EOPNOTSUPP) { - /* XXX: Optionally abort if transactions not supported. */ - if (ea_warn_once == 0) { - printf("Warning: transactions not supported " - "in EA write.\n"); - ea_warn_once = 1; - } - } else if (error) - return (error); - - MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel); - - if (error) { - VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); - return (error); - } - - error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); - - if (error == EOPNOTSUPP) - error = 0; /* XXX */ - - return (error); -} - int mac_execve_enter(struct image_params *imgp, struct mac *mac_p, struct label *execlabelstorage) @@ -974,542 +742,6 @@ mac_destroy_cred_label(imgp->execlabel); } -void -mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp) -{ - - ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); - - if (!mac_enforce_process && !mac_enforce_fs) - return; - - MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp, imgp->execlabel); -} - -int -mac_execve_will_transition(struct ucred *old, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp) -{ - int result; - - ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition"); - - if (!mac_enforce_process && !mac_enforce_fs) - return (0); - - result = 0; - MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp, imgp->execlabel); - - return (result); -} - -int -mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode); - return (error); -} - -int -mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); - return (error); -} - -int -mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); - return (error); -} - -int -mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, - struct componentname *cnp, struct vattr *vap) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); - return (error); -} - -int -mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, - struct componentname *cnp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); - return (error); -} - -int -mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, - acl_type_t type) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); - return (error); -} - -int -mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, - int attrnamespace, const char *name) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label, - attrnamespace, name); - return (error); -} - -int -mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct image_params *imgp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); - - if (!mac_enforce_process && !mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, - imgp->execlabel); - - return (error); -} - -int -mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); - return (error); -} - -int -mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, - int attrnamespace, const char *name, struct uio *uio) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, - attrnamespace, name, uio); - return (error); -} - -int -mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, - struct vnode *vp, struct componentname *cnp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); - return (error); -} - -int -mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, - int attrnamespace) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label, - attrnamespace); - return (error); -} - -int -mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, - struct componentname *cnp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); - return (error); -} - -int -mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); - - if (!mac_enforce_fs || !mac_enforce_vm) - return (0); - - MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); - return (error); -} - -void -mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) -{ - int result = *prot; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade"); - - if (!mac_enforce_fs || !mac_enforce_vm) - return; - - MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label, - &result); - - *prot = result; -} - -int -mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); - - if (!mac_enforce_fs || !mac_enforce_vm) - return (0); - - MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); - return (error); -} - -int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); - return (error); -} - -int -mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, - struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, - &vp->v_label); - - return (error); -} - -int -mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, - struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, - &vp->v_label); - - return (error); -} - -int -mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); - return (error); -} - -int -mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); - return (error); -} - -static int -mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, - struct label *newlabel) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); - - MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); - - return (error); -} - -int -mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, - struct vnode *vp, struct componentname *cnp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); - return (error); -} - -int -mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, - struct vnode *vp, int samedir, struct componentname *cnp) -{ - int error; - - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, - vp != NULL ? &vp->v_label : NULL, samedir, cnp); - return (error); -} - -int -mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); - return (error); -} - -int -mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, - struct acl *acl) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); - return (error); -} - -int -mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, - int attrnamespace, const char *name, struct uio *uio) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, - attrnamespace, name, uio); - return (error); -} - -int -mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); - return (error); -} - -int -mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); - return (error); -} - -int -mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, - gid_t gid) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); - return (error); -} - -int -mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, - struct timespec atime, struct timespec mtime) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, - mtime); - return (error); -} - -int -mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, - struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, - &vp->v_label); - return (error); -} - -int -mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, - struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, - &vp->v_label); - - return (error); -} - /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its @@ -1682,29 +914,6 @@ MAC_PERFORM(relabel_cred, cred, newlabel); } -void -mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) -{ - - MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); -} - -void -mac_create_mount(struct ucred *cred, struct mount *mp) -{ - - MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); -} - -void -mac_create_root_mount(struct ucred *cred, struct mount *mp) -{ - - MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); -} - static int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) { @@ -1729,19 +938,6 @@ } int -mac_check_mount_stat(struct ucred *cred, struct mount *mount) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); - - return (error); -} - -int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; @@ -1801,102 +997,6 @@ return (error); } -void -mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de, - const char *fullpath) -{ - - MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label, - fullpath); -} - -void -mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, - struct devfs_dirent *dd, struct devfs_dirent *de, const char *fullpath) -{ - - MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de, - &de->de_label, fullpath); -} - -void -mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, - struct devfs_dirent *de, const char *fullpath) -{ - - MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, - &de->de_label, fullpath); -} - -/* - * Implementation of VOP_SETLABEL() that relies on extended attributes - * to store label data. Can be referenced by filesystems supporting - * extended attributes. - */ -int -vop_stdsetlabel_ea(struct vop_setlabel_args *ap) -{ - struct vnode *vp = ap->a_vp; - struct label *intlabel = ap->a_label; - int error; - - ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); - - if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) - return (EOPNOTSUPP); - - error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel); - if (error) - return (error); - - mac_relabel_vnode(ap->a_cred, vp, intlabel); - - return (0); -} - -static int >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310210138.h9L1c00J012768>