From owner-trustedbsd-cvs@FreeBSD.ORG Tue Nov 14 19:01:42 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B07A16A515 for ; Tue, 14 Nov 2006 19:01:42 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E49A43D46 for ; Tue, 14 Nov 2006 19:01:42 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 7412D46C73 for ; Tue, 14 Nov 2006 14:01:41 -0500 (EST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 0F07B63268; Tue, 14 Nov 2006 18:53:22 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 0372616A4D8; Tue, 14 Nov 2006 18:53:22 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B88CB16A412 for ; Tue, 14 Nov 2006 18:53:21 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8943443D46 for ; Tue, 14 Nov 2006 18:53:21 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAEIrLNJ012750 for ; Tue, 14 Nov 2006 18:53:21 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAEIrLEc012745 for perforce@freebsd.org; Tue, 14 Nov 2006 18:53:21 GMT (envelope-from millert@freebsd.org) Date: Tue, 14 Nov 2006 18:53:21 GMT Message-Id: <200611141853.kAEIrLEc012745@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 109962 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 19:01:42 -0000 http://perforce.freebsd.org/chv.cgi?CH=109962 Change 109962 by millert@millert_g5tower on 2006/11/14 18:52:51 Adapt vnode_label_associate_file(), remove vnode_label_associate_cred() Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#37 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#17 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#37 (text+ko) ==== @@ -753,34 +753,33 @@ } static void -sebsd_vnode_label_associate_cred(struct ucred *cred, struct vnode *vp, - struct label *vlabel) -{ - struct task_security_struct *tsec; - struct vnode_security_struct *vsec; - - tsec = SLOT(cred->cr_label); - vsec = SLOT(vlabel); - - vsec->sid = vsec->task_sid = tsec->sid; - vsec->sclass = SECCLASS_FILE; /* XXX */ -} - -static void -sebsd_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg, +sebsd_vnode_label_associate_file(struct ucred *cred, struct mount *mp, + struct label *mntlabel, struct fileglob *fg, struct label *fglabel, struct vnode *vp, struct label *vlabel) { struct task_security_struct *tsec; struct file_security_struct *fsec; struct vnode_security_struct *vsec; + struct mount_security_struct *sbsec; tsec = SLOT(cred->cr_label); - fsec = SLOT(fglabel); vsec = SLOT(vlabel); + vsec->task_sid = tsec->sid; + vsec->sclass = vnode_type_to_security_class(vp->v_type); - vsec->sid = fsec->sid; - vsec->task_sid = tsec->sid; - vsec->sclass = SECCLASS_FILE; /* XXX */ + /* + * Use file label if it exists, otherwise fall back + * on mount or cred labels. + */ + if (fglabel) { + fsec = SLOT(fglabel); + vsec->sid = fsec->sid; + } else if (mntlabel) { + sbsec = SLOT(mntlabel); + vsec->sid = sbsec->sid; + } else { + vsec->sid = tsec->sid; + } } static void @@ -3625,7 +3624,6 @@ .mpo_vnode_label_associate_posixsem = sebsd_vnode_label_associate_posixsem, .mpo_vnode_label_associate_posixshm = sebsd_vnode_label_associate_posixshm, .mpo_vnode_label_associate_pipe = sebsd_vnode_label_associate_pipe, - .mpo_vnode_label_associate_cred = sebsd_vnode_label_associate_cred, .mpo_vnode_label_associate_file = sebsd_vnode_label_associate_file, .mpo_devfs_label_update = sebsd_devfs_update, ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#17 (text+ko) ==== @@ -1171,26 +1171,21 @@ } static void -mac_test_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg, - struct label *fglabel, struct vnode *vp, struct label *vlabel) +mac_test_vnode_label_associate_file(struct ucred *cred, struct mount *mp, + struct label *mntlabel, struct fileglob *fg, struct label *fglabel, + struct vnode *vp, struct label *vlabel) { CHECKNULL(cred); - CHECKNULL(fg); CHECKNULL(vp); INIT_LABEL(vlabel, VNODETYPE); - USE_LABEL(fglabel, FILETYPE); -} -static void -mac_test_vnode_label_associate_cred(struct ucred *cred, struct vnode *vp, - struct label *vlabel) -{ - CHECKNULL(cred); - CHECKNULL(vp); - - INIT_LABEL(vlabel, VNODETYPE); - USE_LABEL(cred->cr_label, CREDTYPE); + if (fglabel) { + CHECKNULL(fg); + USE_LABEL(fglabel, FILETYPE); + } else { + USE_LABEL(cred->cr_label, CREDTYPE); + } } static void @@ -1922,7 +1917,6 @@ mac_test_vnode_label_associate_posixshm, .mpo_vnode_label_associate_pipe = mac_test_vnode_label_associate_pipe, .mpo_vnode_label_associate_file = mac_test_vnode_label_associate_file, - .mpo_vnode_label_associate_cred = mac_test_vnode_label_associate_cred, .mpo_devfs_label_associate_device= mac_test_devfs_label_associate_device, .mpo_devfs_label_associate_directory=