Date: Tue, 15 Aug 2006 17:51:31 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 104073 for review Message-ID: <200608151751.k7FHpVqb036226@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=104073 Change 104073 by millert@millert_macbook on 2006/08/15 17:51:17 Fall back on fslabel if the label in the exattr is invalid. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#3 (text+ko) ==== @@ -671,6 +671,7 @@ struct vnode *vp, struct label *vlabel) { struct vnode_security_struct *vsec; + struct mount_fs_security_struct *fssec; /* * TBD: static buffers aren't a good idea, and SELinux contexts * aren't restricted in length. @@ -684,32 +685,37 @@ error = mac_vnop_getxattr(vp, SEBSD_MAC_EXTATTR_NAME, context, sizeof(context), &context_len); - if (error == ENOATTR || error == ENOTSUP || error == EPERM) { - /* XXX - use fslabel sid instead */ - vsec->sid = SECINITSID_UNLABELED; /* Use the default label */ - - goto dosclass; - } if (error) { + if (error == ENOATTR || error == ENOTSUP || error == EPERM) + goto dosclass; printf("%s: ERROR %d returned by mac_vnop_getxattr()\n", __func__, error); - return (error); /* Fail closed */ + return (error); /* Fail closed */ } if (p == NULL || vp == NULL || vp->v_op == NULL || - vp->v_tag != VT_HFS || vp->v_data == NULL) + vp->v_tag != VT_HFS || vp->v_data == NULL) { + error = EINVAL; goto dosclass; + } error = security_context_to_sid(context, context_len, &vsec->sid); - if (error) { + if (error) printf("%s: ERROR mapping context to sid: %.*s\n", __func__, context_len, context); - return (0); /* TBD bad, bad, bad */ - } dosclass: vsec->sclass = vnode_type_to_security_class(vp->v_type); + /* Fall back to the filesystem label on error */ + if (error) { + if (fslabel) { + fssec = SLOT(fslabel); + vsec->sid = fssec->sid; + } else + vsec->sid = SECINITSID_UNLABELED; + } + return (0); } @@ -746,10 +752,13 @@ __func__, context_len, context); } - /* Fall back on the filesystem label on error */ + /* Fall back to the filesystem label on error */ if (error) { - fssec = SLOT(fslabel); - vsec->sid = fssec->sid; + if (fslabel) { + fssec = SLOT(fslabel); + vsec->sid = fssec->sid; + } else + vsec->sid = SECINITSID_UNLABELED; } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608151751.k7FHpVqb036226>