Date: Thu, 30 Oct 2008 10:13:53 +0000 (UTC) From: Robert Watson <rwatson@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r184467 - head/sys/security/mac_bsdextended Message-ID: <200810301013.m9UADrQ6047728@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rwatson Date: Thu Oct 30 10:13:53 2008 New Revision: 184467 URL: http://svn.freebsd.org/changeset/base/184467 Log: The V* flags passed using an accmode_t to the access() and open() access control checks in mac_bsdextended are not in the same namespace as the MBI_ flags used in ugidfw policies, so add an explicit conversion routine to get from one to the other. Obtained from: TrustedBSD Project Modified: head/sys/security/mac_bsdextended/mac_bsdextended.c head/sys/security/mac_bsdextended/ugidfw_internal.h head/sys/security/mac_bsdextended/ugidfw_vnode.c Modified: head/sys/security/mac_bsdextended/mac_bsdextended.c ============================================================================== --- head/sys/security/mac_bsdextended/mac_bsdextended.c Thu Oct 30 08:32:18 2008 (r184466) +++ head/sys/security/mac_bsdextended/mac_bsdextended.c Thu Oct 30 10:13:53 2008 (r184467) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005 Tom Rhodes * Copyright (c) 2006 SPARTA, Inc. @@ -465,6 +465,27 @@ ugidfw_check_vp(struct ucred *cred, stru return (ugidfw_check(cred, vp, &vap, acc_mode)); } +int +ugidfw_accmode2mbi(accmode_t accmode) +{ + int mbi; + + mbi = 0; + if (accmode & VEXEC) + mbi |= MBI_EXEC; + if (accmode & VWRITE) + mbi |= MBI_WRITE; + if (accmode & VREAD) + mbi |= MBI_READ; + if (accmode & VADMIN) + mbi |= MBI_ADMIN; + if (accmode & VSTAT) + mbi |= MBI_STAT; + if (accmode & VAPPEND) + mbi |= MBI_APPEND; + return (mbi); +} + static struct mac_policy_ops ugidfw_ops = { .mpo_destroy = ugidfw_destroy, Modified: head/sys/security/mac_bsdextended/ugidfw_internal.h ============================================================================== --- head/sys/security/mac_bsdextended/ugidfw_internal.h Thu Oct 30 08:32:18 2008 (r184466) +++ head/sys/security/mac_bsdextended/ugidfw_internal.h Thu Oct 30 10:13:53 2008 (r184467) @@ -34,6 +34,7 @@ /* * Central access control routines used by object-specific checks. */ +int ugidfw_accmode2mbi(accmode_t accmode); int ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode); int ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode); Modified: head/sys/security/mac_bsdextended/ugidfw_vnode.c ============================================================================== --- head/sys/security/mac_bsdextended/ugidfw_vnode.c Thu Oct 30 08:32:18 2008 (r184466) +++ head/sys/security/mac_bsdextended/ugidfw_vnode.c Thu Oct 30 10:13:53 2008 (r184467) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005 Tom Rhodes * Copyright (c) 2006 SPARTA, Inc. @@ -65,11 +65,7 @@ ugidfw_vnode_check_access(struct ucred * struct label *vplabel, accmode_t accmode) { - /* - * XXX: We pass accmode_t variable containing V* constants - * as an int containing MBI_* constants. - */ - return (ugidfw_check_vp(cred, vp, (int)accmode)); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); } int @@ -175,11 +171,7 @@ ugidfw_vnode_check_open(struct ucred *cr struct label *vplabel, accmode_t accmode) { - /* - * XXX: We pass accmode_t variable containing V* constants - * as an int containing MBI_* constants. - */ - return (ugidfw_check_vp(cred, vp, (int)accmode)); + return (ugidfw_check_vp(cred, vp, ugidfw_accmode2mbi(accmode))); } int
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810301013.m9UADrQ6047728>