From owner-p4-projects@FreeBSD.ORG  Wed Jul 24 14:42:26 2013
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
 id EA4E0EA7; Wed, 24 Jul 2013 14:42:25 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id AB908EA5
 for <perforce@freebsd.org>; Wed, 24 Jul 2013 14:42:25 +0000 (UTC)
 (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [8.8.178.74])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9BA302370
 for <perforce@freebsd.org>; Wed, 24 Jul 2013 14:42:25 +0000 (UTC)
Received: from skunkworks.freebsd.org ([127.0.1.74])
 by skunkworks.freebsd.org (8.14.7/8.14.7) with ESMTP id r6OEgPkj060629
 for <perforce@freebsd.org>; Wed, 24 Jul 2013 14:42:25 GMT
 (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
 by skunkworks.freebsd.org (8.14.7/8.14.6/Submit) id r6OEgPqE060626
 for perforce@freebsd.org; Wed, 24 Jul 2013 14:42:25 GMT
 (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Wed, 24 Jul 2013 14:42:25 GMT
Message-Id: <201307241442.r6OEgPqE060626@skunkworks.freebsd.org>
X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to
 bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 231415 for review
To: Perforce Change Reviews <perforce@FreeBSD.org>
Precedence: bulk
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.14
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/p4-projects>,
 <mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
 <mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2013 14:42:26 -0000

http://p4web.freebsd.org/@@231415?ac=10

Change 231415 by rwatson@rwatson_cinnamon on 2013/07/24 14:41:58

	Instead of checking if we are in the execve() call graph,
	instead allow the exec MAC check to authorise open; while
	here, also allow the KLD Load check to authorise open as
	well.

Affected files ...

.. //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#6 edit

Differences ...

==== //depot/projects/ctsrd/tesla/src/sys/ufs/ufs/ufs_vnops.c#6 (text+ko) ====

@@ -275,7 +275,9 @@
 
 #ifdef MAC
 #ifdef TESLA_MAC
-	TESLA_SYSCALL(incallstack(kern_execve) ||
+	TESLA_SYSCALL(
+	    previously(mac_kld_check_load(ANY(ptr), vp) == 0) ||
+	    previously(mac_vnode_check_exec(ANY(ptr), vp, ANY(ptr)) == 0) ||
 	    previously(mac_vnode_check_open(ANY(ptr), vp, ANY(int)) == 0));
 #endif
 #endif