Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Oct 2003 18:38:00 -0700 (PDT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 40055 for review
Message-ID:  <200310210138.h9L1c00J012768@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=40055

Change 40055 by rwatson@rwatson_tislabs on 2003/10/20 18:37:44

	Move file system related MAC entry point and infrastructure
	code from kern_mac.c to mac_fs.c.  The split of exec and
	VM functionality will probably require some refinement.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/conf/files#90 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#418 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_fs.c#2 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#6 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/conf/files#90 (text+ko) ====

@@ -1588,6 +1588,7 @@
 posix4/p1003_1b.c	standard
 posix4/posix4_mib.c	standard
 kern/uipc_sem.c		optional p1003_1b_semaphores
+security/mac/mac_fs.c		optional mac
 security/mac/mac_net.c		optional mac
 security/mac/mac_pipe.c		optional mac
 security/mac/mac_posix_sem.c	optional mac

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#418 (text+ko) ====

@@ -116,12 +116,6 @@
 int	mac_late = 0;
 
 /*
- * Warn about EA transactions only the first time they happen.
- * Weak coherency, no locking.
- */
-static int	ea_warn_once = 0;
-
-/*
  * Flag to indicate whether or not we should allocate label storage for
  * new mbufs.  Since most dynamic policies we currently work with don't
  * rely on mbuf labeling, try to avoid paying the cost of mtag allocation
@@ -136,12 +130,7 @@
 int	mac_labelmbufs = 0;
 #endif
 
-static int	mac_enforce_fs = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
-    &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
-TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-
-static int	mac_enforce_process = 1;
+int	mac_enforce_process = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
     &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
 TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
@@ -175,34 +164,22 @@
 SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
     "TrustedBSD MAC object counters");
 
-static unsigned int nmaccreds, nmacmounts, nmactemp, nmacvnodes,
-     nmacdevfsdirents, nmacprocs;
+static unsigned int nmaccreds, nmactemp, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
     &nmaccreds, 0, "number of ucreds in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
     &nmacprocs, 0, "number of procs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
-    &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
     &nmactemp, 0, "number of temporary labels in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
-    &nmacvnodes, 0, "number of vnodes in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
-    &nmacdevfsdirents, 0, "number of devfs dirents inuse");
 #endif
 
 static int	mac_policy_register(struct mac_policy_conf *mpc);
 static int	mac_policy_unregister(struct mac_policy_conf *mpc);
 
-static void	mac_check_vnode_mmap_downgrade(struct ucred *cred,
-		    struct vnode *vp, int *prot);
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
-static int	mac_setlabel_vnode_extattr(struct ucred *cred,
-		    struct vnode *vp, struct label *intlabel);
-
 MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
 
 /*
@@ -615,26 +592,6 @@
 }
 
 void
-mac_init_devfsdirent(struct devfs_dirent *de)
-{
-
-	mac_init_label(&de->de_label);
-	MAC_PERFORM(init_devfsdirent_label, &de->de_label);
-	MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
-}
-
-void
-mac_init_mount(struct mount *mp)
-{
-
-	mac_init_label(&mp->mnt_mntlabel);
-	mac_init_label(&mp->mnt_fslabel);
-	MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
-	MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
-	MAC_DEBUG_COUNTER_INC(&nmacmounts);
-}
-
-void
 mac_init_proc(struct proc *p)
 {
 
@@ -643,22 +600,6 @@
 	MAC_DEBUG_COUNTER_INC(&nmacprocs);
 }
 
-void
-mac_init_vnode_label(struct label *label)
-{
-
-	mac_init_label(label);
-	MAC_PERFORM(init_vnode_label, label);
-	MAC_DEBUG_COUNTER_INC(&nmacvnodes);
-}
-
-void
-mac_init_vnode(struct vnode *vp)
-{
-
-	mac_init_vnode_label(&vp->v_label);
-}
-
 static void
 mac_destroy_cred_label(struct label *label)
 {
@@ -676,26 +617,6 @@
 }
 
 void
-mac_destroy_devfsdirent(struct devfs_dirent *de)
-{
-
-	MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
-	mac_destroy_label(&de->de_label);
-	MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
-}
-
-void
-mac_destroy_mount(struct mount *mp)
-{
-
-	MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
-	MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
-	mac_destroy_label(&mp->mnt_fslabel);
-	mac_destroy_label(&mp->mnt_mntlabel);
-	MAC_DEBUG_COUNTER_DEC(&nmacmounts);
-}
-
-void
 mac_destroy_proc(struct proc *p)
 {
 
@@ -704,29 +625,6 @@
 	MAC_DEBUG_COUNTER_DEC(&nmacprocs);
 }
 
-void
-mac_destroy_vnode_label(struct label *label)
-{
-
-	MAC_PERFORM(destroy_vnode_label, label);
-	mac_destroy_label(label);
-	MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
-}
-
-void
-mac_destroy_vnode(struct vnode *vp)
-{
-
-	mac_destroy_vnode_label(&vp->v_label);
-}
-
-void
-mac_copy_vnode_label(struct label *src, struct label *dest)
-{
-
-	MAC_PERFORM(copy_vnode_label, src, dest);
-}
-
 int
 mac_check_structmac_consistent(struct mac *mac)
 {
@@ -750,17 +648,6 @@
 }
 
 static int
-mac_externalize_vnode_label(struct label *label, char *elements,
-    char *outbuf, size_t outbuflen, int flags)
-{
-	int error;
-
-	MAC_EXTERNALIZE(vnode_label, label, elements, outbuf, outbuflen);
-
-	return (error);
-}
-
-static int
 mac_internalize_cred_label(struct label *label, char *string)
 {
 	int error;
@@ -770,16 +657,6 @@
 	return (error);
 }
 
-static int
-mac_internalize_vnode_label(struct label *label, char *string)
-{
-	int error;
-
-	MAC_INTERNALIZE(vnode_label, label, string);
-
-	return (error);
-}
-
 /*
  * Initialize MAC label for the first kernel process, from which other
  * kernel processes and threads are spawned.
@@ -821,115 +698,6 @@
 	MAC_PERFORM(create_cred, parent_cred, child_cred);
 }
 
-void
-mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
-    struct vnode *vp)
-{
-
-	MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp,
-	    &vp->v_label);
-}
-
-void
-mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
-    struct vnode *vp)
-{
-
-	MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de,
-	    &de->de_label, vp, &vp->v_label);
-}
-
-int
-mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
-
-	MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp,
-	    &vp->v_label);
-
-	return (error);
-}
-
-void
-mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
-{
-
-	MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp,
-	    &vp->v_label);
-}
-
-int
-mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
-    struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr");
-	ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr");
-
-	error = VOP_OPENEXTATTR(vp, cred, curthread);
-	if (error == EOPNOTSUPP) {
-		/* XXX: Optionally abort if transactions not supported. */
-		if (ea_warn_once == 0) {
-			printf("Warning: transactions not supported "
-			    "in EA write.\n");
-			ea_warn_once = 1;
-		}
-	} else if (error)
-		return (error);
-
-	MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel,
-	    dvp, &dvp->v_label, vp, &vp->v_label, cnp);
-
-	if (error) {
-		VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
-		return (error);
-	}
-
-	error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
-
-	if (error == EOPNOTSUPP)
-		error = 0;				/* XXX */
-
-	return (error);
-}
-
-static int
-mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
-    struct label *intlabel)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr");
-
-	error = VOP_OPENEXTATTR(vp, cred, curthread);
-	if (error == EOPNOTSUPP) {
-		/* XXX: Optionally abort if transactions not supported. */
-		if (ea_warn_once == 0) {
-			printf("Warning: transactions not supported "
-			    "in EA write.\n");
-			ea_warn_once = 1;
-		}
-	} else if (error)
-		return (error);
-
-	MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel);
-
-	if (error) {
-		VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
-		return (error);
-	}
-
-	error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
-
-	if (error == EOPNOTSUPP)
-		error = 0;				/* XXX */
-
-	return (error);
-}
-
 int
 mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
     struct label *execlabelstorage)
@@ -974,542 +742,6 @@
 		mac_destroy_cred_label(imgp->execlabel);
 }
 
-void
-mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
-    struct label *interpvnodelabel, struct image_params *imgp)
-{
-
-	ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
-
-	if (!mac_enforce_process && !mac_enforce_fs)
-		return;
-
-	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp, imgp->execlabel);
-}
-
-int
-mac_execve_will_transition(struct ucred *old, struct vnode *vp,
-    struct label *interpvnodelabel, struct image_params *imgp)
-{
-	int result;
-
-	ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition");
-
-	if (!mac_enforce_process && !mac_enforce_fs)
-		return (0);
-
-	result = 0;
-	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp, imgp->execlabel);
-
-	return (result);
-}
-
-int
-mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode);
-	return (error);
-}
-
-int
-mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
-	return (error);
-}
-
-int
-mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
-	return (error);
-}
-
-int
-mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
-    struct componentname *cnp, struct vattr *vap)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
-	return (error);
-}
-
-int
-mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
-    struct componentname *cnp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
-	    &vp->v_label, cnp);
-	return (error);
-}
-
-int
-mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
-    acl_type_t type)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
-	return (error);
-}
-
-int
-mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
-    int attrnamespace, const char *name)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
-	    attrnamespace, name);
-	return (error);
-}
-
-int
-mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct image_params *imgp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
-
-	if (!mac_enforce_process && !mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
-	    imgp->execlabel);
-
-	return (error);
-}
-
-int
-mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
-	return (error);
-}
-
-int
-mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
-    int attrnamespace, const char *name, struct uio *uio)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
-	    attrnamespace, name, uio);
-	return (error);
-}
-
-int
-mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
-    struct vnode *vp, struct componentname *cnp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
-	    &vp->v_label, cnp);
-	return (error);
-}
-
-int
-mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
-    int attrnamespace)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
-	    attrnamespace);
-	return (error);
-}
-
-int
-mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
-    struct componentname *cnp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
-	return (error);
-}
-
-int
-mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
-
-	if (!mac_enforce_fs || !mac_enforce_vm)
-		return (0);
-
-	MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
-	return (error);
-}
-
-void
-mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
-{
-	int result = *prot;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
-
-	if (!mac_enforce_fs || !mac_enforce_vm)
-		return;
-
-	MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label,
-	    &result);
-
-	*prot = result;
-}
-
-int
-mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
-
-	if (!mac_enforce_fs || !mac_enforce_vm)
-		return (0);
-
-	MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
-	return (error);
-}
-
-int
-mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
-	return (error);
-}
-
-int
-mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
-    struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
-	    &vp->v_label);
-
-	return (error);
-}
-
-int
-mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
-    struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
-	    &vp->v_label);
-
-	return (error);
-}
-
-int
-mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
-	return (error);
-}
-
-int
-mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
-	return (error);
-}
-
-static int
-mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
-    struct label *newlabel)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
-
-	MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
-
-	return (error);
-}
-
-int
-mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
-    struct vnode *vp, struct componentname *cnp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
-	    &vp->v_label, cnp);
-	return (error);
-}
-
-int
-mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
-    struct vnode *vp, int samedir, struct componentname *cnp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
-	    vp != NULL ? &vp->v_label : NULL, samedir, cnp);
-	return (error);
-}
-
-int
-mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
-	return (error);
-}
-
-int
-mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
-    struct acl *acl)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
-	return (error);
-}
-
-int
-mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
-    int attrnamespace, const char *name, struct uio *uio)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
-	    attrnamespace, name, uio);
-	return (error);
-}
-
-int
-mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
-	return (error);
-}
-
-int
-mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
-	return (error);
-}
-
-int
-mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
-    gid_t gid)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
-	return (error);
-}
-
-int
-mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
-    struct timespec atime, struct timespec mtime)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
-	    mtime);
-	return (error);
-}
-
-int
-mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
-    struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
-	    &vp->v_label);
-	return (error);
-}
-
-int
-mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
-    struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
-	    &vp->v_label);
-
-	return (error);
-}
-
 /*
  * When relabeling a process, call out to the policies for the maximum
  * permission allowed for each object type we know about in its
@@ -1682,29 +914,6 @@
 	MAC_PERFORM(relabel_cred, cred, newlabel);
 }
 
-void
-mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
-{
-
-	MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
-}
-
-void
-mac_create_mount(struct ucred *cred, struct mount *mp)
-{
-
-	MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
-	    &mp->mnt_fslabel);
-}
-
-void
-mac_create_root_mount(struct ucred *cred, struct mount *mp)
-{
-
-	MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
-	    &mp->mnt_fslabel);
-}
-
 static int
 mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -1729,19 +938,6 @@
 }
 
 int
-mac_check_mount_stat(struct ucred *cred, struct mount *mount)
-{
-	int error;
-
-	if (!mac_enforce_fs)
-		return (0);
-
-	MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
-
-	return (error);
-}
-
-int
 mac_check_proc_debug(struct ucred *cred, struct proc *proc)
 {
 	int error;
@@ -1801,102 +997,6 @@
 	return (error);
 }
 
-void
-mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de,
-    const char *fullpath)
-{
-
-	MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label,
-	    fullpath);
-}
-
-void
-mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
-    struct devfs_dirent *dd, struct devfs_dirent *de, const char *fullpath)
-{
-
-	MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de,
-	    &de->de_label, fullpath);
-}
-
-void
-mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
-    struct devfs_dirent *de, const char *fullpath)
-{
-
-	MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
-	    &de->de_label, fullpath);
-}
-
-/*
- * Implementation of VOP_SETLABEL() that relies on extended attributes
- * to store label data.  Can be referenced by filesystems supporting
- * extended attributes.
- */
-int
-vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
-{
-	struct vnode *vp = ap->a_vp;
-	struct label *intlabel = ap->a_label;
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
-
-	if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
-		return (EOPNOTSUPP);
-
-	error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel);
-	if (error)
-		return (error);
-
-	mac_relabel_vnode(ap->a_cred, vp, intlabel);
-
-	return (0);
-}
-
-static int

>>> TRUNCATED FOR MAIL (1000 lines) <<<



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310210138.h9L1c00J012768>