Date: Sun, 28 Jul 2002 14:27:15 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15073 for review Message-ID: <200207282127.g6SLRFuA094945@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15073 Change 15073 by rwatson@rwatson_paprika on 2002/07/28 14:27:00 Rename mac_check_statfs to mac_check_mount_stat to conform to new naming scheme. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#202 edit .. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#65 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#79 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#67 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#54 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#59 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#24 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#130 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#95 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#202 (text+ko) ==== @@ -662,6 +662,10 @@ mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; + case MAC_CHECK_MOUNT_STAT: + mpc->mpc_ops->mpo_check_mount_stat = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -714,9 +718,6 @@ mpc->mpc_ops->mpo_check_relabel_vnode = mpe->mpe_function; break; - case MAC_CHECK_STATFS: - mpc->mpc_ops->mpo_check_statfs = mpe->mpe_function; - break; case MAC_CHECK_VNODE_ACCESS: mpc->mpc_ops->mpo_check_vnode_access = mpe->mpe_function; @@ -2453,6 +2454,19 @@ } int +mac_check_mount_stat(struct ucred *cred, struct mount *mount) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; @@ -2679,19 +2693,6 @@ } int -mac_check_statfs(struct ucred *cred, struct mount *mount) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - MAC_CHECK(check_statfs, cred, mount, &mount->mnt_mntlabel); - - return (error); -} - -int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#65 (text+ko) ==== @@ -1290,7 +1290,7 @@ NDFREE(&nd, NDF_ONLY_PNBUF); vrele(nd.ni_vp); #ifdef MAC - error = mac_check_statfs(td->td_ucred, mp); + error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif @@ -1337,7 +1337,7 @@ if (mp == NULL) return (EBADF); #ifdef MAC - error = mac_check_statfs(td->td_ucred, mp); + error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif @@ -1384,7 +1384,7 @@ mtx_lock(&mountlist_mtx); for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) { #ifdef MAC - if (mac_check_statfs(td->td_ucred, mp) != 0) { + if (mac_check_mount_stat(td->td_ucred, mp) != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } @@ -4671,7 +4671,7 @@ sp = &mp->mnt_stat; vput(vp); #ifdef MAC - error = mac_check_statfs(td->td_ucred, mp); + error = mac_check_mount_stat(td->td_ucred, mp); if (error) return (error); #endif ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#79 (text+ko) ==== @@ -1214,6 +1214,24 @@ } static int +mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, + struct label *mntlabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(mntlabel); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_biba *subj, *obj; @@ -1464,24 +1482,6 @@ } static int -mac_biba_check_statfs(struct ucred *cred, struct mount *mp, - struct label *mntlabel) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(mntlabel); - - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - - return (0); -} - -static int mac_biba_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -2146,6 +2146,8 @@ (macop_t)mac_biba_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_biba_check_ifnet_transmit }, + { MAC_CHECK_MOUNT_STAT, + (macop_t)mac_biba_check_mount_stat }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_biba_check_proc_debug }, { MAC_CHECK_PROC_SCHED, @@ -2166,8 +2168,6 @@ (macop_t)mac_biba_check_relabel_subject }, { MAC_CHECK_RELABEL_VNODE, (macop_t)mac_biba_check_relabel_vnode }, - { MAC_CHECK_STATFS, - (macop_t)mac_biba_check_statfs }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_biba_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#67 (text+ko) ==== @@ -1163,6 +1163,24 @@ } static int +mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, + struct label *mntlabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(mntlabel); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_mls *subj, *obj; @@ -1413,24 +1431,6 @@ } static int -mac_mls_check_statfs(struct ucred *cred, struct mount *mp, - struct label *mntlabel) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(mntlabel); - - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - - return (0); -} - -static int mac_mls_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -2095,6 +2095,8 @@ (macop_t)mac_mls_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_mls_check_ifnet_transmit }, + { MAC_CHECK_MOUNT_STAT, + (macop_t)mac_mls_check_mount_stat }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_mls_check_proc_debug }, { MAC_CHECK_PROC_SCHED, @@ -2115,8 +2117,6 @@ (macop_t)mac_mls_check_relabel_subject }, { MAC_CHECK_RELABEL_VNODE, (macop_t)mac_mls_check_relabel_vnode }, - { MAC_CHECK_STATFS, - (macop_t)mac_mls_check_statfs }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_mls_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#54 (text+ko) ==== @@ -572,6 +572,14 @@ } static int +mac_none_check_mount_stat(struct ucred *cred, struct mount *mp, + struct label *mntlabel) +{ + + return (0); +} + +static int mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -672,14 +680,6 @@ } static int -mac_none_check_statfs(struct ucred *cred, struct mount *mp, - struct label *mntlabel) -{ - - return (0); -} - -static int mac_none_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1022,6 +1022,8 @@ (macop_t)mac_none_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_none_check_ifnet_transmit }, + { MAC_CHECK_MOUNT_STAT, + (macop_t)mac_none_check_mount_stat }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_none_check_proc_debug }, { MAC_CHECK_PROC_SCHED, @@ -1048,8 +1050,6 @@ (macop_t)mac_none_check_relabel_subject }, { MAC_CHECK_RELABEL_VNODE, (macop_t)mac_none_check_relabel_vnode }, - { MAC_CHECK_STATFS, - (macop_t)mac_none_check_statfs }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_none_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#59 (text+ko) ==== @@ -694,6 +694,18 @@ } static int +mac_te_check_mount_stat(struct ucred *cred, struct mount *mp, + struct label *mplabel) +{ + int error; + + error = mac_te_check(SLOT(&cred->cr_label), SLOT(mplabel), + MAC_TE_CLASS_FS, MAC_TE_OPERATION_FS_STATFS); + + return (error); +} + +static int mac_te_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -1535,18 +1547,6 @@ return (0); } -static int -mac_te_check_statfs(struct ucred *cred, struct mount *mp, - struct label *mplabel) -{ - int error; - - error = mac_te_check(SLOT(&cred->cr_label), SLOT(mplabel), - MAC_TE_CLASS_FS, MAC_TE_OPERATION_FS_STATFS); - - return (error); -} - static vm_prot_t mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) @@ -1748,6 +1748,8 @@ (macop_t)mac_te_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_te_check_ifnet_transmit }, + { MAC_CHECK_MOUNT_STAT, + (macop_t)mac_te_check_mount_stat }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_te_check_proc_debug }, { MAC_CHECK_PROC_SCHED, @@ -1774,7 +1776,6 @@ (macop_t)mac_te_check_relabel_subject }, { MAC_CHECK_RELABEL_VNODE, (macop_t)mac_te_check_relabel_vnode }, - { MAC_CHECK_STATFS, (macop_t)mac_te_check_statfs }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_te_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#24 (text+ko) ==== @@ -780,6 +780,14 @@ } static int +mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, + struct label *mntlabel) +{ + + return (0); +} + +static int mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -896,14 +904,6 @@ } static int -mac_test_check_statfs(struct ucred *cred, struct mount *mp, - struct label *mntlabel) -{ - - return (0); -} - -static int mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1228,6 +1228,8 @@ (macop_t)mac_test_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_test_check_ifnet_transmit }, + { MAC_CHECK_MOUNT_STAT, + (macop_t)mac_test_check_mount_stat }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_test_check_proc_debug }, { MAC_CHECK_PROC_SCHED, @@ -1254,8 +1256,6 @@ (macop_t)mac_test_check_relabel_subject }, { MAC_CHECK_RELABEL_VNODE, (macop_t)mac_test_check_relabel_vnode }, - { MAC_CHECK_STATFS, - (macop_t)mac_test_check_statfs }, { MAC_CHECK_VNODE_ACCESS, (macop_t)mac_test_check_vnode_access }, { MAC_CHECK_VNODE_CHDIR, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#130 (text+ko) ==== @@ -258,6 +258,7 @@ /* Authorizational event hooks. */ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); +int mac_check_mount_stat(struct ucred *cred, struct mount *mp); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); @@ -300,7 +301,6 @@ int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); -int mac_check_statfs(struct ucred *cred, struct mount *mp); int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#95 (text+ko) ==== @@ -235,6 +235,8 @@ int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel); + int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, + struct label *mntlabel); int (*mpo_check_proc_debug)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, @@ -266,8 +268,6 @@ int (*mpo_check_relabel_vnode)(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel); - int (*mpo_check_statfs)(struct ucred *cred, struct mount *mp, - struct label *mntlabel); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int flags); int (*mpo_check_vnode_chdir)(struct ucred *cred, @@ -412,6 +412,7 @@ MAC_CHECK_BPFDESC_RECEIVE, MAC_CHECK_CRED_VISIBLE, MAC_CHECK_IFNET_TRANSMIT, + MAC_CHECK_MOUNT_STAT, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, MAC_CHECK_PROC_SIGNAL, @@ -425,7 +426,6 @@ MAC_CHECK_RELABEL_SOCKET, MAC_CHECK_RELABEL_SUBJECT, MAC_CHECK_RELABEL_VNODE, - MAC_CHECK_STATFS, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, MAC_CHECK_VNODE_CHROOT, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207282127.g6SLRFuA094945>