Date: Thu, 15 Feb 2018 18:57:22 +0000 (UTC) From: Brooks Davis <brooks@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r329336 - head/sys/security/mac Message-ID: <201802151857.w1FIvMS7013914@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brooks Date: Thu Feb 15 18:57:22 2018 New Revision: 329336 URL: https://svnweb.freebsd.org/changeset/base/329336 Log: Reduce duplication in __mac_*_(file|link)(2) implementation. Reviewed by: rwatson Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14175 Modified: head/sys/security/mac/mac_syscalls.c Modified: head/sys/security/mac/mac_syscalls.c ============================================================================== --- head/sys/security/mac/mac_syscalls.c Thu Feb 15 18:39:43 2018 (r329335) +++ head/sys/security/mac/mac_syscalls.c Thu Feb 15 18:57:22 2018 (r329336) @@ -76,6 +76,11 @@ __FBSDID("$FreeBSD$"); FEATURE(security_mac, "Mandatory Access Control Framework support"); +static int kern___mac_get_path(struct thread *td, const char *path_p, + struct mac *mac_p, int follow); +static int kern___mac_set_path(struct thread *td, const char *path_p, + struct mac *mac_p, int follow); + int sys___mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) { @@ -315,57 +320,21 @@ out: int sys___mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { - char *elements, *buffer; - struct nameidata nd; - struct label *intlabel; - struct mac mac; - int error; - if (!(mac_labeled & MPC_OBJECT_VNODE)) - return (EINVAL); - - error = copyin(uap->mac_p, &mac, sizeof(mac)); - if (error) - return (error); - - error = mac_check_structmac_consistent(&mac); - if (error) - return (error); - - elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); - if (error) { - free(elements, M_MACTEMP); - return (error); - } - - buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, - uap->path_p, td); - error = namei(&nd); - if (error) - goto out; - - intlabel = mac_vnode_label_alloc(); - mac_vnode_copy_label(nd.ni_vp->v_label, intlabel); - error = mac_vnode_externalize_label(intlabel, elements, buffer, - mac.m_buflen); - - NDFREE(&nd, 0); - mac_vnode_label_free(intlabel); - if (error == 0) - error = copyout(buffer, mac.m_string, strlen(buffer)+1); - -out: - free(buffer, M_MACTEMP); - free(elements, M_MACTEMP); - - return (error); + return (kern___mac_get_path(td, uap->path_p, uap->mac_p, FOLLOW)); } int sys___mac_get_link(struct thread *td, struct __mac_get_link_args *uap) { + + return (kern___mac_get_path(td, uap->path_p, uap->mac_p, NOFOLLOW)); +} + +static int +kern___mac_get_path(struct thread *td, const char *path_p, struct mac *mac_p, + int follow) +{ char *elements, *buffer; struct nameidata nd; struct label *intlabel; @@ -375,7 +344,7 @@ sys___mac_get_link(struct thread *td, struct __mac_get if (!(mac_labeled & MPC_OBJECT_VNODE)) return (EINVAL); - error = copyin(uap->mac_p, &mac, sizeof(mac)); + error = copyin(mac_p, &mac, sizeof(mac)); if (error) return (error); @@ -391,8 +360,7 @@ sys___mac_get_link(struct thread *td, struct __mac_get } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, - uap->path_p, td); + NDINIT(&nd, LOOKUP, LOCKLEAF | follow, UIO_USERSPACE, path_p, td); error = namei(&nd); if (error) goto out; @@ -518,58 +486,21 @@ out: int sys___mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label *intlabel; - struct nameidata nd; - struct mount *mp; - struct mac mac; - char *buffer; - int error; - if (!(mac_labeled & MPC_OBJECT_VNODE)) - return (EINVAL); - - error = copyin(uap->mac_p, &mac, sizeof(mac)); - if (error) - return (error); - - error = mac_check_structmac_consistent(&mac); - if (error) - return (error); - - buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); - if (error) { - free(buffer, M_MACTEMP); - return (error); - } - - intlabel = mac_vnode_label_alloc(); - error = mac_vnode_internalize_label(intlabel, buffer); - free(buffer, M_MACTEMP); - if (error) - goto out; - - NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, - uap->path_p, td); - error = namei(&nd); - if (error == 0) { - error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); - if (error == 0) { - error = vn_setlabel(nd.ni_vp, intlabel, - td->td_ucred); - vn_finished_write(mp); - } - } - - NDFREE(&nd, 0); -out: - mac_vnode_label_free(intlabel); - return (error); + return (kern___mac_set_path(td, uap->path_p, uap->mac_p, FOLLOW)); } int sys___mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { + + return (kern___mac_set_path(td, uap->path_p, uap->mac_p, NOFOLLOW)); +} + +static int +kern___mac_set_path(struct thread *td, const char *path_p, struct mac *mac_p, + int follow) +{ struct label *intlabel; struct nameidata nd; struct mount *mp; @@ -580,7 +511,7 @@ sys___mac_set_link(struct thread *td, struct __mac_set if (!(mac_labeled & MPC_OBJECT_VNODE)) return (EINVAL); - error = copyin(uap->mac_p, &mac, sizeof(mac)); + error = copyin(mac_p, &mac, sizeof(mac)); if (error) return (error); @@ -601,8 +532,7 @@ sys___mac_set_link(struct thread *td, struct __mac_set if (error) goto out; - NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, - uap->path_p, td); + NDINIT(&nd, LOOKUP, LOCKLEAF | follow, UIO_USERSPACE, path_p, td); error = namei(&nd); if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802151857.w1FIvMS7013914>