Date: Sat, 20 Jul 2002 08:44:38 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14525 for review Message-ID: <200207201544.g6KFicRe047958@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14525 Change 14525 by rwatson@rwatson_curry on 2002/07/20 08:43:52 Implement mac_cred_check_readlink() to authorize the reading and use of symlink stored data. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#177 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_lookup.c#13 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#51 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#112 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#74 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#177 (text+ko) ==== @@ -554,6 +554,10 @@ mpc->mpc_ops->mpo_cred_check_open_vnode = mpe->mpe_function; break; + case MAC_CRED_CHECK_READLINK: + mpc->mpc_ops->mpo_cred_check_readlink = + mpe->mpe_function; + break; case MAC_CRED_CHECK_RENAME_FROM_VNODE: mpc->mpc_ops->mpo_cred_check_rename_from_vnode = mpe->mpe_function; @@ -1679,6 +1683,24 @@ } int +mac_cred_check_readlink(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_cred_check_readlink"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(cred_check_readlink, cred, vp, &vp->v_label); + return (error); +} + +int mac_cred_check_revoke_vnode(struct ucred *cred, struct vnode *vp) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_lookup.c#13 (text+ko) ==== @@ -316,6 +316,11 @@ error = ELOOP; break; } +#ifdef MAC + error = mac_cred_check_readlink(td->td_ucred, ndp->ni_vp); + if (error) + break; +#endif if (ndp->ni_pathlen > 1) cp = uma_zalloc(namei_zone, M_WAITOK); else ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#51 (text+ko) ==== @@ -2849,9 +2849,11 @@ NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; #ifdef MAC - /* - * XXXMAC: need some or another MAC check here. - */ + error = mac_cred_check_readlink(td->td_ucred, vp); + if (error) { + vput(vp); + return (error); + } #endif if (vp->v_type != VLNK) error = EINVAL; ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#112 (text+ko) ==== @@ -282,6 +282,7 @@ struct vnode *vp, int samedir); int mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode); +int mac_cred_check_readlink(struct ucred *cred, struct vnode *vp); int mac_cred_check_revoke_vnode(struct ucred *cred, struct vnode *vp); int mac_cred_check_statfs(struct ucred *cred, struct mount *mp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#74 (text+ko) ==== @@ -274,6 +274,8 @@ int (*mpo_cred_check_open_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); + int (*mpo_cred_check_readlink)(struct ucred *cred, + struct vnode *vp, struct label *label); int (*mpo_cred_check_rename_from_vnode)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *label); @@ -403,6 +405,7 @@ MAC_CRED_CHECK_GETEXTATTR_VNODE, MAC_CRED_CHECK_LISTEN_SOCKET, MAC_CRED_CHECK_OPEN_VNODE, + MAC_CRED_CHECK_READLINK, MAC_CRED_CHECK_RENAME_FROM_VNODE, MAC_CRED_CHECK_RENAME_TO_VNODE, MAC_CRED_CHECK_REVOKE_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207201544.g6KFicRe047958>