From owner-p4-projects Sun Jul 28 12:41:33 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id EF28937B401; Sun, 28 Jul 2002 12:40:22 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9587437B400 for ; Sun, 28 Jul 2002 12:40:22 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB35443E42 for ; Sun, 28 Jul 2002 12:40:21 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6SJeLJU075145 for ; Sun, 28 Jul 2002 12:40:21 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6SJeLAw075134 for perforce@freebsd.org; Sun, 28 Jul 2002 12:40:21 -0700 (PDT) Date: Sun, 28 Jul 2002 12:40:21 -0700 (PDT) Message-Id: <200207281940.g6SJeLAw075134@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15063 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15063 Change 15063 by rwatson@rwatson_paprika on 2002/07/28 12:39:59 Rename VNODE access control check entry points to fit the mac_check_object_method style. Affected files ... .. //depot/projects/trustedbsd/mac/sys/compat/linux/linux_file.c#8 edit .. //depot/projects/trustedbsd/mac/sys/compat/linux/linux_getcwd.c#8 edit .. //depot/projects/trustedbsd/mac/sys/compat/linux/linux_misc.c#14 edit .. //depot/projects/trustedbsd/mac/sys/compat/svr4/svr4_fcntl.c#8 edit .. //depot/projects/trustedbsd/mac/sys/compat/svr4/svr4_misc.c#11 edit .. //depot/projects/trustedbsd/mac/sys/i386/ibcs2/ibcs2_misc.c#7 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_acl.c#13 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_descrip.c#20 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_exec.c#24 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#201 edit .. //depot/projects/trustedbsd/mac/sys/kern/tty_tty.c#7 edit .. //depot/projects/trustedbsd/mac/sys/kern/uipc_usrreq.c#19 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_lookup.c#20 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#64 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_vnops.c#31 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#78 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#47 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#66 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#53 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#58 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#23 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#16 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#129 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#94 edit .. //depot/projects/trustedbsd/mac/sys/vm/vm_mmap.c#12 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/compat/linux/linux_file.c#8 (text+ko) ==== @@ -331,7 +331,7 @@ /* * Do directory search MAC check using non-cached credentials. */ - if ((error = mac_check_readdir_vnode(td->td_proc->p_ucred, vp)) + if ((error = mac_check_vnode_readdir(td->td_proc->p_ucred, vp)) goto out; #endif /* MAC */ if ((error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, &ncookies, ==== //depot/projects/trustedbsd/mac/sys/compat/linux/linux_getcwd.c#8 (text+ko) ==== @@ -203,7 +203,7 @@ eofflag = 0; #ifdef MAC - error = mac_check_readdir_vnode(td->td_ucred, uvp); + error = mac_check_vnode_readdir(td->td_ucred, uvp); if (error == 0) #endif /* MAC */ error = VOP_READDIR(uvp, &uio, td->td_ucred, &eofflag, ==== //depot/projects/trustedbsd/mac/sys/compat/linux/linux_misc.c#14 (text+ko) ==== @@ -308,7 +308,7 @@ * from vn_open(). */ #ifdef MAC - error = mac_check_open_vnode(td->td_ucred, vp, FREAD); + error = mac_check_vnode_open(td->td_ucred, vp, FREAD); if (error) goto cleanup; #endif ==== //depot/projects/trustedbsd/mac/sys/compat/svr4/svr4_fcntl.c#8 (text+ko) ==== @@ -266,7 +266,7 @@ #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_revoke_vnode(td->td_ucred, vp); + error = mac_check_vnode_revoke(td->td_ucred, vp); VOP_UNLOCK(vp, 0, td); if (error) goto out; ==== //depot/projects/trustedbsd/mac/sys/compat/svr4/svr4_misc.c#11 (text+ko) ==== @@ -316,7 +316,7 @@ #ifdef MAC /* Use process's credentials to check directory search MAC. */ - error = mac_check_readdir_vnode(td->td_proc->p_ucred, vp); + error = mac_check_vnode_readdir(td->td_proc->p_ucred, vp); if (error) goto out; #endif /* MAC */ @@ -479,7 +479,7 @@ */ #ifdef MAC /* Use process's credentials to check directory search MAC. */ - error = mac_check_readdir_vnode(td->td_proc->p_ucred, vp); + error = mac_check_vnode_readdir(td->td_proc->p_ucred, vp); if (error) goto out; #endif /* MAC */ ==== //depot/projects/trustedbsd/mac/sys/i386/ibcs2/ibcs2_misc.c#7 (text+ko) ==== @@ -352,7 +352,7 @@ } #ifdef MAC - error = mac_check_readdir_vnode(td->td_proc->p_ucred, vp); + error = mac_check_vnode_readdir(td->td_proc->p_ucred, vp); if (error) goto out; #endif /* MAC */ @@ -512,7 +512,7 @@ } #ifdef MAC - error = mac_check_readdir_vnode(td->td_proc->p_ucred, vp); + error = mac_check_vnode_readdir(td->td_proc->p_ucred, vp); if (error) goto out; #endif /* MAC */ ==== //depot/projects/trustedbsd/mac/sys/kern/kern_acl.c#13 (text+ko) ==== @@ -585,7 +585,7 @@ VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_setacl_vnode(td->td_ucred, vp, type, &inkernacl); + error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl); if (error != 0) goto out; #endif @@ -611,7 +611,7 @@ VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_getacl_vnode(td->td_ucred, vp, type); + error = mac_check_vnode_getacl(td->td_ucred, vp, type); if (error != 0) goto out; #endif @@ -640,7 +640,7 @@ VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_deleteacl_vnode(td->td_ucred, vp, type); + error = mac_check_vnode_deleteacl(td->td_ucred, vp, type); if (error) goto out; #endif ==== //depot/projects/trustedbsd/mac/sys/kern/kern_descrip.c#20 (text+ko) ==== @@ -331,7 +331,7 @@ * to pass in both the old and the new flags, * with authorization performed only on the delta. */ - error = mac_check_open_vnode(td->td_ucred, + error = mac_check_vnode_open(td->td_ucred, (struct vnode *)fp->f_data, mode); VOP_UNLOCK((struct vnode *)fp->f_data, 0, td); if (error) { ==== //depot/projects/trustedbsd/mac/sys/kern/kern_exec.c#24 (text+ko) ==== @@ -948,7 +948,7 @@ * that the label is retained for use later for MAC models that * support subject domain transitions at execve()-time. */ - error = mac_cred_canexec(curthread->td_ucred, imgp->vp); + error = mac_check_vnode_exec(curthread->td_ucred, imgp->vp); if (error) return (error); #endif ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#201 (text+ko) ==== @@ -342,7 +342,7 @@ continue; vp = (struct vnode *)object->handle; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - result = mac_check_mmap_vnode_prot(cred, vp, 0); + result = mac_check_vnode_mmap_prot(cred, vp, 0); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing @@ -717,96 +717,96 @@ case MAC_CHECK_STATFS: mpc->mpc_ops->mpo_check_statfs = mpe->mpe_function; break; - case MAC_CHECK_ACCESS_VNODE: - mpc->mpc_ops->mpo_check_access_vnode = + case MAC_CHECK_VNODE_ACCESS: + mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; break; - case MAC_CHECK_CHDIR_VNODE: - mpc->mpc_ops->mpo_check_chdir_vnode = + case MAC_CHECK_VNODE_CHDIR: + mpc->mpc_ops->mpo_check_vnode_chdir = mpe->mpe_function; break; - case MAC_CHECK_CHROOT_VNODE: - mpc->mpc_ops->mpo_check_chroot_vnode = + case MAC_CHECK_VNODE_CHROOT: + mpc->mpc_ops->mpo_check_vnode_chroot = mpe->mpe_function; break; - case MAC_CHECK_CREATE_VNODE: - mpc->mpc_ops->mpo_check_create_vnode = + case MAC_CHECK_VNODE_CREATE: + mpc->mpc_ops->mpo_check_vnode_create = mpe->mpe_function; break; - case MAC_CHECK_DELETE_VNODE: - mpc->mpc_ops->mpo_check_delete_vnode = + case MAC_CHECK_VNODE_DELETE: + mpc->mpc_ops->mpo_check_vnode_delete = mpe->mpe_function; break; - case MAC_CHECK_DELETEACL_VNODE: - mpc->mpc_ops->mpo_check_deleteacl_vnode = + case MAC_CHECK_VNODE_DELETEACL: + mpc->mpc_ops->mpo_check_vnode_deleteacl = mpe->mpe_function; break; - case MAC_CHECK_EXEC_VNODE: - mpc->mpc_ops->mpo_check_exec_vnode = + case MAC_CHECK_VNODE_EXEC: + mpc->mpc_ops->mpo_check_vnode_exec = mpe->mpe_function; break; - case MAC_CHECK_GETACL_VNODE: - mpc->mpc_ops->mpo_check_getacl_vnode = + case MAC_CHECK_VNODE_GETACL: + mpc->mpc_ops->mpo_check_vnode_getacl = mpe->mpe_function; break; - case MAC_CHECK_GETEXTATTR_VNODE: - mpc->mpc_ops->mpo_check_getextattr_vnode = + case MAC_CHECK_VNODE_GETEXTATTR: + mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; - case MAC_CHECK_LOOKUP_VNODE: - mpc->mpc_ops->mpo_check_lookup_vnode = + case MAC_CHECK_VNODE_LOOKUP: + mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; break; - case MAC_CHECK_OPEN_VNODE: - mpc->mpc_ops->mpo_check_open_vnode = + case MAC_CHECK_VNODE_OPEN: + mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; - case MAC_CHECK_READDIR_VNODE: - mpc->mpc_ops->mpo_check_readdir_vnode = + case MAC_CHECK_VNODE_READDIR: + mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; break; - case MAC_CHECK_READLINK_VNODE: - mpc->mpc_ops->mpo_check_readlink_vnode = + case MAC_CHECK_VNODE_READLINK: + mpc->mpc_ops->mpo_check_vnode_readlink = mpe->mpe_function; break; - case MAC_CHECK_RENAME_FROM_VNODE: - mpc->mpc_ops->mpo_check_rename_from_vnode = + case MAC_CHECK_VNODE_RENAME_FROM: + mpc->mpc_ops->mpo_check_vnode_rename_from = mpe->mpe_function; break; - case MAC_CHECK_RENAME_TO_VNODE: - mpc->mpc_ops->mpo_check_rename_to_vnode = + case MAC_CHECK_VNODE_RENAME_TO: + mpc->mpc_ops->mpo_check_vnode_rename_to = mpe->mpe_function; break; - case MAC_CHECK_REVOKE_VNODE: - mpc->mpc_ops->mpo_check_revoke_vnode = + case MAC_CHECK_VNODE_REVOKE: + mpc->mpc_ops->mpo_check_vnode_revoke = mpe->mpe_function; break; - case MAC_CHECK_SETACL_VNODE: - mpc->mpc_ops->mpo_check_setacl_vnode = + case MAC_CHECK_VNODE_SETACL: + mpc->mpc_ops->mpo_check_vnode_setacl = mpe->mpe_function; break; - case MAC_CHECK_SETEXTATTR_VNODE: - mpc->mpc_ops->mpo_check_setextattr_vnode = + case MAC_CHECK_VNODE_SETEXTATTR: + mpc->mpc_ops->mpo_check_vnode_setextattr = mpe->mpe_function; break; - case MAC_CHECK_SETFLAGS_VNODE: - mpc->mpc_ops->mpo_check_setflags_vnode = + case MAC_CHECK_VNODE_SETFLAGS: + mpc->mpc_ops->mpo_check_vnode_setflags = mpe->mpe_function; break; - case MAC_CHECK_SETMODE_VNODE: - mpc->mpc_ops->mpo_check_setmode_vnode = + case MAC_CHECK_VNODE_SETMODE: + mpc->mpc_ops->mpo_check_vnode_setmode = mpe->mpe_function; break; - case MAC_CHECK_SETOWNER_VNODE: - mpc->mpc_ops->mpo_check_setowner_vnode = + case MAC_CHECK_VNODE_SETOWNER: + mpc->mpc_ops->mpo_check_vnode_setowner = mpe->mpe_function; break; - case MAC_CHECK_SETUTIMES_VNODE: - mpc->mpc_ops->mpo_check_setutimes_vnode = + case MAC_CHECK_VNODE_SETUTIMES: + mpc->mpc_ops->mpo_check_vnode_setutimes = mpe->mpe_function; break; - case MAC_CHECK_STAT_VNODE: - mpc->mpc_ops->mpo_check_stat_vnode = + case MAC_CHECK_VNODE_STAT: + mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; case MAC_CHECK_VNODE_MMAP_PERMS: @@ -1288,23 +1288,6 @@ return (0); } - -int -mac_cred_canexec(struct ucred *cred, struct vnode *vp) -{ - int error; - - if (!mac_enforce_process && !mac_enforce_fs) - return (0); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - MAC_CHECK(check_exec_vnode, cred, vp, &vp->v_label); - - return (error); -} - void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) { @@ -1717,11 +1700,11 @@ } int -mac_check_access_vnode(struct ucred *cred, struct vnode *vp, int flags) +mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_access_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); if (!mac_enforce_fs) return (0); @@ -1730,16 +1713,16 @@ if (error) return (error); - MAC_CHECK(check_access_vnode, cred, vp, &vp->v_label, flags); + MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); return (error); } int -mac_check_chdir_vnode(struct ucred *cred, struct vnode *dvp) +mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_chdir_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); if (!mac_enforce_fs) return (0); @@ -1748,16 +1731,16 @@ if (error) return (error); - MAC_CHECK(check_chdir_vnode, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); return (error); } int -mac_check_chroot_vnode(struct ucred *cred, struct vnode *dvp) +mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_chroot_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); if (!mac_enforce_fs) return (0); @@ -1766,17 +1749,17 @@ if (error) return (error); - MAC_CHECK(check_chroot_vnode, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); return (error); } int -mac_check_create_vnode(struct ucred *cred, struct vnode *dvp, +mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_create_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); if (!mac_enforce_fs) return (0); @@ -1785,16 +1768,32 @@ if (error) return (error); - MAC_CHECK(check_create_vnode, cred, dvp, &dvp->v_label, cnp, vap); + MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); + return (error); +} + +int +mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (!mac_enforce_process && !mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); + return (error); } int -mac_check_getacl_vnode(struct ucred *cred, struct vnode *vp, acl_type_t type) +mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_getacl_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); if (!mac_enforce_fs) return (0); @@ -1803,17 +1802,17 @@ if (error) return (error); - MAC_CHECK(check_getacl_vnode, cred, vp, &vp->v_label, type); + MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); return (error); } int -mac_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, +mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_getextattr_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); if (!mac_enforce_fs) return (0); @@ -1822,18 +1821,18 @@ if (error) return (error); - MAC_CHECK(check_getextattr_vnode, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, +mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_lookup_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); if (!mac_enforce_fs) return (0); @@ -1842,30 +1841,30 @@ if (error) return (error); - MAC_CHECK(check_lookup_vnode, cred, dvp, &dvp->v_label, cnp); + MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); return (error); } vm_prot_t -mac_check_mmap_vnode_prot(struct ucred *cred, struct vnode *vp, int newmapping) +mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; /* * This should be some sort of MAC_BITWISE, maybe :) */ - ASSERT_VOP_LOCKED(vp, "mac_check_mmap_vnode_perms"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, newmapping); return (result); } int -mac_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_open_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); if (!mac_enforce_fs) return (0); @@ -1874,16 +1873,16 @@ if (error) return (error); - MAC_CHECK(check_open_vnode, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); return (error); } int -mac_check_readdir_vnode(struct ucred *cred, struct vnode *dvp) +mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_readdir_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); if (!mac_enforce_fs) return (0); @@ -1892,16 +1891,16 @@ if (error) return (error); - MAC_CHECK(check_readdir_vnode, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); return (error); } int -mac_check_readlink_vnode(struct ucred *cred, struct vnode *vp) +mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_readlink_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); if (!mac_enforce_fs) return (0); @@ -1910,16 +1909,16 @@ if (error) return (error); - MAC_CHECK(check_readlink_vnode, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); return (error); } int -mac_check_revoke_vnode(struct ucred *cred, struct vnode *vp) +mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_revoke_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); if (!mac_enforce_fs) return (0); @@ -1928,17 +1927,17 @@ if (error) return (error); - MAC_CHECK(check_revoke_vnode, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); return (error); } int -mac_check_setacl_vnode(struct ucred *cred, struct vnode *vp, acl_type_t type, +mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_setacl_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); if (!mac_enforce_fs) return (0); @@ -1947,17 +1946,17 @@ if (error) return (error); - MAC_CHECK(check_setacl_vnode, cred, vp, &vp->v_label, type, acl); + MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); return (error); } int -mac_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, +mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_setextattr_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); if (!mac_enforce_fs) return (0); @@ -1966,17 +1965,17 @@ if (error) return (error); - MAC_CHECK(check_setextattr_vnode, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_setflags_vnode(struct ucred *cred, struct vnode *vp, u_long flags) +mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_setflags_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); if (!mac_enforce_fs) return (0); @@ -1985,16 +1984,16 @@ if (error) return (error); - MAC_CHECK(check_setflags_vnode, cred, vp, &vp->v_label, flags); + MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); return (error); } int -mac_check_setmode_vnode(struct ucred *cred, struct vnode *vp, mode_t mode) +mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_setmode_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); if (!mac_enforce_fs) return (0); @@ -2003,17 +2002,17 @@ if (error) return (error); - MAC_CHECK(check_setmode_vnode, cred, vp, &vp->v_label, mode); + MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); return (error); } int -mac_check_setowner_vnode(struct ucred *cred, struct vnode *vp, uid_t uid, +mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_setowner_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); if (!mac_enforce_fs) return (0); @@ -2022,17 +2021,17 @@ if (error) return (error); - MAC_CHECK(check_setowner_vnode, cred, vp, &vp->v_label, uid, gid); + MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); return (error); } int -mac_check_setutimes_vnode(struct ucred *cred, struct vnode *vp, +mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_setutimes_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); if (!mac_enforce_fs) return (0); @@ -2041,19 +2040,19 @@ if (error) return (error); - MAC_CHECK(check_setutimes_vnode, cred, vp, &vp->v_label, atime, + MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, mtime); return (error); } int -mac_check_delete_vnode(struct ucred *cred, struct vnode *dvp, struct vnode *vp, +mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_delete_vnode"); - ASSERT_VOP_LOCKED(vp, "mac_check_delete_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); if (!mac_enforce_fs) return (0); @@ -2065,18 +2064,18 @@ if (error) return (error); - MAC_CHECK(check_delete_vnode, cred, dvp, &dvp->v_label, vp, + MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int -mac_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, +mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_deleteacl_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); if (!mac_enforce_fs) return (0); @@ -2085,18 +2084,18 @@ if (error) return (error); - MAC_CHECK(check_deleteacl_vnode, cred, vp, &vp->v_label, type); + MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); return (error); } int -mac_check_rename_from_vnode(struct ucred *cred, struct vnode *dvp, +mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_rename_from_vnode"); - ASSERT_VOP_LOCKED(vp, "mac_check_rename_from_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); if (!mac_enforce_fs) return (0); @@ -2108,19 +2107,19 @@ if (error) return (error); - MAC_CHECK(check_rename_from_vnode, cred, dvp, &dvp->v_label, vp, + MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, &vp->v_label, cnp); return (error); } int -mac_check_rename_to_vnode(struct ucred *cred, struct vnode *dvp, +mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_rename_to_vnode"); - ASSERT_VOP_LOCKED(vp, "mac_check_rename_to_vnode"); + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); if (!mac_enforce_fs) return (0); @@ -2133,17 +2132,17 @@ if (error) return (error); } - MAC_CHECK(check_rename_to_vnode, cred, dvp, &dvp->v_label, vp, + MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, vp != NULL ? &vp->v_label : NULL, samedir, cnp); return (error); } int -mac_check_stat_vnode(struct ucred *cred, struct vnode *vp) +mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_stat_vnode"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); if (!mac_enforce_fs) return (0); @@ -2152,7 +2151,7 @@ if (error) return (error); - MAC_CHECK(check_stat_vnode, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label); return (error); } ==== //depot/projects/trustedbsd/mac/sys/kern/tty_tty.c#7 (text+ko) ==== @@ -98,7 +98,7 @@ return (ENXIO); vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_open_vnode(td->td_ucred, ttyvp, flag); + error = mac_check_vnode_open(td->td_ucred, ttyvp, flag); if (error) { VOP_UNLOCK(ttyvp, 0, td); return (error); ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_usrreq.c#19 (text+ko) ==== @@ -639,7 +639,7 @@ vattr.va_mode = (ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask); FILEDESC_UNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_create_vnode(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif /* MAC */ if (error == 0) { ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_lookup.c#20 (text+ko) ==== @@ -203,7 +203,7 @@ break; } #ifdef MAC - error = mac_check_readlink_vnode(td->td_ucred, ndp->ni_vp); + error = mac_check_vnode_readlink(td->td_ucred, ndp->ni_vp); if (error) break; #endif @@ -454,7 +454,7 @@ */ unionlookup: #ifdef MAC - error = mac_check_lookup_vnode(td->td_ucred, dp, cnp); + error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); if (error) goto bad; #endif ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#64 (text+ko) ==== @@ -1460,7 +1460,7 @@ if (vp->v_type != VDIR) error = ENOTDIR; #ifdef MAC - else if ((error = mac_check_chdir_vnode(td->td_ucred, vp)) != 0) { + else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { } #endif else @@ -1600,7 +1600,7 @@ NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE, SCARG(uap, path), td); #ifdef MAC - if ((error = mac_check_chroot_vnode(td->td_ucred, nd.ni_vp))) { + if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) { /* * XXX: Release of namei() structures may be wrong here * and below in existing code. @@ -1643,7 +1643,7 @@ if (vp->v_type != VDIR) error = ENOTDIR; #ifdef MAC - else if ((error = mac_check_chdir_vnode(td->td_ucred, vp)) != 0) { + else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { } #endif else @@ -1943,7 +1943,7 @@ } #ifdef MAC if (error == 0 && !whiteout) - error = mac_check_create_vnode(td->td_ucred, nd.ni_dvp, + error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif /* MAC */ if (!error) { @@ -2013,7 +2013,7 @@ vattr.va_mode = (SCARG(uap, mode) & ALLPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_UNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_create_vnode(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif /* MAC */ if (error == 0) { @@ -2139,7 +2139,7 @@ FILEDESC_UNLOCK(td->td_proc->p_fd); vattr.va_type = VLNK; #ifdef MAC - error = mac_check_create_vnode(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif /* MAC */ if (error == 0) { @@ -2261,7 +2261,7 @@ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (!error) { #ifdef MAC - error = mac_check_delete_vnode(td->td_ucred, nd.ni_dvp, vp, + error = mac_check_vnode_delete(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error == 0) { #endif @@ -2410,7 +2410,7 @@ if (user_flags & X_OK) flags |= VEXEC; #ifdef MAC - error = mac_check_access_vnode(cred, vp, flags); + error = mac_check_vnode_access(cred, vp, flags); if (error) return (error); #endif @@ -2856,7 +2856,7 @@ NDFREE(&nd, NDF_ONLY_PNBUF); vp = nd.ni_vp; #ifdef MAC - error = mac_check_readlink_vnode(td->td_ucred, vp); + error = mac_check_vnode_readlink(td->td_ucred, vp); if (error) { vput(vp); return (error); @@ -2913,7 +2913,7 @@ VATTR_NULL(&vattr); vattr.va_flags = flags; #if MAC - error = mac_check_setflags_vnode(td->td_ucred, vp, vattr.va_flags); + error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags); if (error != 0) goto out; #endif @@ -3027,7 +3027,7 @@ VATTR_NULL(&vattr); vattr.va_mode = mode & ALLPERMS; #ifdef MAC - error = mac_check_setmode_vnode(td->td_ucred, vp, vattr.va_mode); + error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode); if (error != 0) >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message