Date: Thu, 27 Jun 2002 14:13:01 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 13497 for review Message-ID: <200206272113.g5RLD1Ku027977@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=13497 Change 13497 by rwatson@rwatson_tislabs on 2002/06/27 14:12:38 Teach the MAC framework about ACL operations (delete, get, set), and the ACL code about the MAC framework. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_acl.c#8 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#153 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#107 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#66 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_acl.c#8 (text+ko) ==== @@ -33,6 +33,7 @@ */ #include "opt_cap.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -584,7 +585,16 @@ return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); +#ifdef MAC + error = mac_cred_check_setacl_vnode(td->td_ucred, vp, type, + &inkernacl); + if (error != 0) + goto out; +#endif error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td); +#ifdef MAC +out: +#endif VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return(error); @@ -602,7 +612,15 @@ VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); +#ifdef MAC + error = mac_cred_check_getacl_vnode(td->td_ucred, vp, type); + if (error != 0) + goto out; +#endif error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td); +#ifdef MAC +out: +#endif VOP_UNLOCK(vp, 0, td); if (error == 0) error = copyout(&inkernelacl, aclp, sizeof(struct acl)); @@ -623,7 +641,15 @@ return (error); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); +#ifdef MAC + error = mac_cred_check_deleteacl_vnode(td->td_ucred, vp, type); + if (error) + goto out; +#endif error = VOP_SETACL(vp, ACL_TYPE_DEFAULT, 0, td->td_ucred, td); +#ifdef MAC +out: +#endif VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); return (error); ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#153 (text+ko) ==== @@ -499,10 +499,18 @@ mpc->mpc_ops.mpo_cred_check_delete_vnode = mpe->mpe_function; break; + case MAC_CRED_CHECK_DELETEACL_VNODE: + mpc->mpc_ops.mpo_cred_check_deleteacl_vnode = + mpe->mpe_function; + break; case MAC_CRED_CHECK_EXEC_VNODE: mpc->mpc_ops.mpo_cred_check_exec_vnode = mpe->mpe_function; break; + case MAC_CRED_CHECK_GETACL_VNODE: + mpc->mpc_ops.mpo_cred_check_getacl_vnode = + mpe->mpe_function; + break; case MAC_CRED_CHECK_GETEXTATTR_VNODE: mpc->mpc_ops.mpo_cred_check_getextattr_vnode = mpe->mpe_function; @@ -531,6 +539,10 @@ mpc->mpc_ops.mpo_cred_check_search_vnode = mpe->mpe_function; break; + case MAC_CRED_CHECK_SETACL_VNODE: + mpc->mpc_ops.mpo_cred_check_setacl_vnode = + mpe->mpe_function; + break; case MAC_CRED_CHECK_SETEXTATTR_VNODE: mpc->mpc_ops.mpo_cred_check_setextattr_vnode = mpe->mpe_function; @@ -1450,6 +1462,25 @@ } int +mac_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + acl_type_t type) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_cred_check_getacl_vnode"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(cred_check_getacl_vnode, cred, vp, &vp->v_label, type); + return (error); +} + +int mac_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { @@ -1538,6 +1569,25 @@ } int +mac_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, + acl_type_t type, struct acl *acl) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_cred_check_setacl_vnode"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(cred_check_setacl_vnode, cred, vp, &vp->v_label, type, acl); + return (error); +} + +int mac_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { @@ -1659,6 +1709,26 @@ } int +mac_cred_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, + acl_type_t type) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_cred_check_deleteacl_vnode"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(cred_check_deleteacl_vnode, cred, vp, &vp->v_label, + type); + return (error); +} + +int mac_cred_check_rename_from_vnode(struct ucred *cred, struct vnode *dvp, struct vnode *vp) { ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#107 (text+ko) ==== @@ -210,6 +210,8 @@ struct vattr; struct vnode; +#include <sys/acl.h> /* XXX acl_type_t */ + /* Label-based operations. */ void mac_init_bpfdesc(struct bpf_d *); void mac_init_devfsdirent(struct devfs_dirent *); @@ -247,11 +249,17 @@ struct sockaddr *sa); int mac_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct vattr *vap); +int mac_cred_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, + acl_type_t type); +int mac_cred_check_getacl_vnode(struct ucred *cred, struct vnode *vp, + acl_type_t type); int mac_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_cred_check_listen_socket(struct ucred *cred, struct socket *socket); int mac_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp); +int mac_cred_check_setacl_vnode(struct ucred *cred, struct vnode *vp, + acl_type_t type, struct acl *acl); int mac_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); int mac_cred_check_setflags_vnode(struct ucred *cred, struct vnode *vp, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#66 (text+ko) ==== @@ -254,8 +254,12 @@ int (*mpo_cred_check_delete_vnode)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, void *label); + int (*mpo_cred_check_deleteacl_vnode)(struct ucred *cred, + struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_cred_check_exec_vnode)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_cred_check_getacl_vnode)(struct ucred *cred, + struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_cred_check_getextattr_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); @@ -274,6 +278,9 @@ struct vnode *vp, struct label *label); int (*mpo_cred_check_search_vnode)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); + int (*mpo_cred_check_setacl_vnode)(struct ucred *cred, + struct vnode *vp, struct label *label, acl_type_t type, + struct acl *acl); int (*mpo_cred_check_setextattr_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); @@ -381,7 +388,9 @@ MAC_CRED_CHECK_CONNECT_SOCKET, MAC_CRED_CHECK_CREATE_VNODE, MAC_CRED_CHECK_DELETE_VNODE, + MAC_CRED_CHECK_DELETEACL_VNODE, MAC_CRED_CHECK_EXEC_VNODE, + MAC_CRED_CHECK_GETACL_VNODE, MAC_CRED_CHECK_GETEXTATTR_VNODE, MAC_CRED_CHECK_LISTEN_SOCKET, MAC_CRED_CHECK_OPEN_VNODE, @@ -389,6 +398,7 @@ MAC_CRED_CHECK_RENAME_TO_VNODE, MAC_CRED_CHECK_REVOKE_VNODE, MAC_CRED_CHECK_SEARCH_VNODE, + MAC_CRED_CHECK_SETACL_VNODE, MAC_CRED_CHECK_SETEXTATTR_VNODE, MAC_CRED_CHECK_SETFLAGS_VNODE, MAC_CRED_CHECK_SETMODE_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206272113.g5RLD1Ku027977>