Date: Wed, 3 Jul 2002 14:42:24 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 13772 for review Message-ID: <200207032142.g63LgOef069795@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=13772 Change 13772 by rwatson@rwatson_tislabs on 2002/07/03 14:41:28 Add MAC entry point for mac_cred_check_access_vnode(), which services the access() and eaccess() system calls. Required to make applications with pretty user interfaces involving file icons more useful. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#156 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#47 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#108 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#67 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#156 (text+ko) ==== @@ -81,9 +81,11 @@ SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, "TrustedBSD MAC policy controls"); +SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, + "TrustedBSD MAC debug info"); int mac_debug_label_fallback = 0; -SYSCTL_INT(_security_mac, OID_AUTO, debug_label_fallback, CTLFLAG_RW, +SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" "when label is corrupted."); TUNABLE_INT("security.mac.debug_label_fallback", @@ -274,6 +276,7 @@ error = 0; break; default: + break; } return (error); @@ -487,6 +490,10 @@ mpc->mpc_ops.mpo_cred_check_debug_proc = mpe->mpe_function; break; + case MAC_CRED_CHECK_ACCESS_VNODE: + mpc->mpc_ops.mpo_cred_check_access_vnode = + mpe->mpe_function; + break; case MAC_CRED_CHECK_CHDIR_VNODE: mpc->mpc_ops.mpo_cred_check_chdir_vnode = mpe->mpe_function; @@ -1095,8 +1102,6 @@ /* label->l_flags &= ~MAC_FLAG_INITIALIZED; */ } -SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, - "TrustedBSD MAC debug info"); static unsigned int nmacmbufs, nmacsubjects, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, nmacipqs; @@ -1425,6 +1430,24 @@ } int +mac_cred_check_access_vnode(struct ucred *cred, struct vnode *vp, int flags) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_cred_check_access_vnode"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(cred_check_access_vnode, cred, vp, &vp->v_label, flags); + return (error); +} + +int mac_cred_check_chdir_vnode(struct ucred *cred, struct vnode *dvp) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#47 (text+ko) ==== @@ -2386,6 +2386,11 @@ flags |= VWRITE; if (user_flags & X_OK) flags |= VEXEC; +#ifdef MAC + error = mac_cred_check_access_vnode(cred, vp, flags); + if (error) + return (error); +#endif if ((flags & VWRITE) == 0 || (error = vn_writechk(vp)) == 0) error = VOP_ACCESS(vp, flags, cred, td); } ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#108 (text+ko) ==== @@ -242,6 +242,8 @@ /* Authorizational event hooks. */ int mac_bpfdesc_check_receive_from_ifnet(struct bpf_d *bpf_d, struct ifnet *ifnet); +int mac_cred_check_access_vnode(struct ucred *cred, struct vnode *vp, + int flags); int mac_cred_check_bind_socket(struct ucred *cred, struct socket *so, struct sockaddr *sa); int mac_cred_check_chdir_vnode(struct ucred *cred, struct vnode *dvp); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#67 (text+ko) ==== @@ -246,6 +246,8 @@ struct label *mntlabel); int (*mpo_cred_check_debug_proc)(struct ucred *cred, struct proc *proc); + int (*mpo_cred_check_access_vnode)(struct ucred *cred, + struct vnode *vp, struct label *label, int flags); int (*mpo_cred_check_chdir_vnode)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_cred_check_create_vnode)(struct ucred *cred, @@ -384,6 +386,7 @@ MAC_CRED_CHECK_RELABEL_VNODE, MAC_CRED_CHECK_STATFS, MAC_CRED_CHECK_DEBUG_PROC, + MAC_CRED_CHECK_ACCESS_VNODE, MAC_CRED_CHECK_CHDIR_VNODE, MAC_CRED_CHECK_CONNECT_SOCKET, MAC_CRED_CHECK_CREATE_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207032142.g63LgOef069795>