From owner-p4-projects@FreeBSD.ORG Thu Nov 16 19:14:44 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 5187D16A412; Thu, 16 Nov 2006 19:14:44 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05C5716A407 for ; Thu, 16 Nov 2006 19:14:44 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87FBC43D99 for ; Thu, 16 Nov 2006 19:14:36 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAGJEZ0t066480 for ; Thu, 16 Nov 2006 19:14:35 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAGJEZE0066477 for perforce@freebsd.org; Thu, 16 Nov 2006 19:14:35 GMT (envelope-from millert@freebsd.org) Date: Thu, 16 Nov 2006 19:14:35 GMT Message-Id: <200611161914.kAGJEZE0066477@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 110123 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2006 19:14:44 -0000 http://perforce.freebsd.org/chv.cgi?CH=110123 Change 110123 by millert@millert_macbook on 2006/11/16 19:13:40 Remove mac_file_check_{get,change}_flags and mac_file_check_{get,change}_ofileflags. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#16 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_file.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#19 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#28 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#45 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_descrip.c#7 (text+ko) ==== @@ -410,42 +410,22 @@ goto out; case F_GETFD: -#ifdef MAC - error = mac_file_check_get_ofileflags(proc_ucred(p), - fp->f_fglob, *pop); - if (error == 0) -#endif - *retval = (*pop & UF_EXCLOSE)? 1 : 0; + *retval = (*pop & UF_EXCLOSE)? 1 : 0; + error = 0; goto out; case F_SETFD: -#ifdef MAC - error = mac_file_check_change_ofileflags(proc_ucred(p), - fp->f_fglob, *pop, (*pop &~ UF_EXCLOSE) | - (uap->arg & 1 ? UF_EXCLOSE : 0)); - if (error == 0) -#endif - *pop = (*pop &~ UF_EXCLOSE) | - (uap->arg & 1)? UF_EXCLOSE : 0; + *pop = (*pop &~ UF_EXCLOSE) | + (uap->arg & 1)? UF_EXCLOSE : 0; + error = 0; goto out; case F_GETFL: -#ifdef MAC - error = mac_file_check_get_flags(proc_ucred(p), fp->f_fglob, - fp->f_flag); - if (error == 0) -#endif - *retval = OFLAGS(fp->f_flag); + *retval = OFLAGS(fp->f_flag); + error = 0; goto out; case F_SETFL: -#ifdef MAC - error = mac_file_check_change_flags(proc_ucred(p), - fp->f_fglob, fp->f_flag, (fp->f_flag & ~FCNTLFLAGS) | - (FFLAGS(CAST_DOWN(int, uap->arg)) & FCNTLFLAGS)); - if (error) - goto out; -#endif fp->f_flag &= ~FCNTLFLAGS; tmp = CAST_DOWN(int, uap->arg); fp->f_flag |= FFLAGS(tmp) & FCNTLFLAGS; @@ -2484,12 +2464,6 @@ lf.l_len = 0; if (how & LOCK_UN) { lf.l_type = F_UNLCK; -#ifdef MAC - error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob, - fp->f_flag, fp->f_flag & ~FHASLOCK); - if (error) - goto out; -#endif fp->f_flag &= ~FHASLOCK; error = VNOP_ADVLOCK(vp, (caddr_t)fp->f_fglob, F_UNLCK, &lf, F_FLOCK, &context); goto out; @@ -2503,12 +2477,6 @@ goto out; } #ifdef MAC - error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob, - fp->f_flag, fp->f_flag | FHASLOCK); - if (error) - goto out; -#endif -#ifdef MAC error = mac_file_check_lock(proc_ucred(p), fp->f_fglob, F_SETLK, &lf); if (error) goto out; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_generic.c#5 (text+ko) ==== @@ -752,7 +752,7 @@ if (error) goto out; #endif - + #if NETAT /* * ### LD 6/11/97 Hack Alert: this is to get AppleTalk to work @@ -777,22 +777,12 @@ switch (com = uap->com) { case FIONCLEX: -#ifdef MAC - error = mac_file_check_change_ofileflags(proc_ucred(p), - fp->f_fglob, *fdflags(p, uap->fd), - *fdflags(p, uap->fd) & ~UF_EXCLOSE); - if (error == 0) -#endif - *fdflags(p, uap->fd) &= ~UF_EXCLOSE; + *fdflags(p, uap->fd) &= ~UF_EXCLOSE; + error =0; goto out; case FIOCLEX: -#ifdef MAC - error = mac_file_check_change_ofileflags(proc_ucred(p), - fp->f_fglob, *fdflags(p, uap->fd), - *fdflags(p, uap->fd) | UF_EXCLOSE); - if (error == 0) -#endif - *fdflags(p, uap->fd) |= UF_EXCLOSE; + *fdflags(p, uap->fd) |= UF_EXCLOSE; + error =0; goto out; } @@ -856,13 +846,6 @@ switch (com) { case FIONBIO: -#ifdef MAC - error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob, - fp->f_flag, *(int *)datap ? fp->f_flag | FNONBLOCK : - fp->f_flag & ~FNONBLOCK); - if (error) - goto out; -#endif if ( (tmp = *(int *)datap) ) fp->f_flag |= FNONBLOCK; else @@ -871,13 +854,6 @@ break; case FIOASYNC: -#ifdef MAC - error = mac_file_check_change_flags(proc_ucred(p), fp->f_fglob, - fp->f_flag, *(int *)datap ? fp->f_flag | FASYNC : - fp->f_flag & ~FASYNC); - if (error) - goto out; -#endif if ( (tmp = *(int *)datap) ) fp->f_flag |= FASYNC; else @@ -2495,4 +2471,3 @@ return(0); } - ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#16 (text+ko) ==== @@ -1746,13 +1746,6 @@ if ((flags & FNONBLOCK) == 0) type |= F_WAIT; #ifdef MAC - error = mac_file_check_change_flags(vfs_context_ucred(ctx), - fp->f_fglob, fp->f_fglob->fg_flag, - fp->f_fglob->fg_flag | FHASLOCK); - if (error) - goto bad; -#endif -#ifdef MAC error = mac_file_check_lock(vfs_context_ucred(ctx), fp->f_fglob, F_SETLK, &lf); if (error) ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_file.c#7 (text+ko) ==== @@ -143,48 +143,6 @@ } int -mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg, - u_int flags) -{ - int error; - - MAC_CHECK(file_check_get_flags, cred, fg, fg->fg_label, flags); - return (error); -} - -int -mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg, - char flags) -{ - int error; - - MAC_CHECK(file_check_get_ofileflags, cred, fg, fg->fg_label, flags); - return (error); -} - -int -mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg, - u_int oldflags, u_int newflags) -{ - int error; - - MAC_CHECK(file_check_change_flags, cred, fg, fg->fg_label, oldflags, - newflags); - return (error); -} - -int -mac_file_check_change_ofileflags(struct ucred *cred, struct fileglob *fg, - char oldflags, char newflags) -{ - int error; - - MAC_CHECK(file_check_change_ofileflags, cred, fg, fg->fg_label, - oldflags, newflags); - return (error); -} - -int mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg) { int error; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#19 (text+ko) ==== @@ -122,22 +122,14 @@ void mac_devfs_label_update(struct mount *mp, struct devnode *de, struct vnode *vp); int mac_execve_enter(user_addr_t mac_p, struct label *execlabel); -int mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg, - u_int oldflags, u_int newflags); int mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg); -int mac_file_check_change_ofileflags(struct ucred *cred, - struct fileglob *fg, char oldflags, char newflags); int mac_file_check_create(struct ucred *cred); int mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd); int mac_file_check_fcntl(struct ucred *cred, struct fileglob *fg, int cmd, long arg); int mac_file_check_get(struct ucred *cred, struct fileglob *fg, char *elements, int len); -int mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg, - u_int flags); int mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg); -int mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg, - char flags); int mac_file_check_inherit(struct ucred *cred, struct fileglob *fg); int mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg, u_long com, void *data); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#28 (text+ko) ==== @@ -580,48 +580,6 @@ struct label *vnodelabel ); /** - @brief Access control for changing file descriptor flags - @param cred Subject credential - @param fg Fileglob structure - @param label Policy label for fg - @param oldflags Old fd flags - @param newflags New fd flags - - Determine whether the subject identified by the credential can - change the specified flags for the fileglob structure represented by fg. - - @return Return 0 if access if granted, otherwise an appropriate - value for errno should be returned. -*/ -typedef int mpo_file_check_change_flags_t( - struct ucred *cred, - struct fileglob *fg, - struct label *label, - u_int oldflags, - u_int newflags -); -/** - @brief Access control for changing open file flags - @param cred Subject credential - @param fg Fileglob structure - @param label Policy label for fg - @param flags Old flags - @param flags New flags - - Determine whether the subject identified by the credential can - change the open file flags for the fileglob structure represented by fg. - - @return Return 0 if access if granted, otherwise an appropriate - value for errno should be returned. -*/ -typedef int mpo_file_check_change_ofileflags_t( - struct ucred *cred, - struct fileglob *fg, - struct label *label, - char oldflags, - char newflags -); -/** @brief Access control for changing the offset of a file descriptor @param cred Subject credential @param fg Fileglob structure @@ -710,25 +668,6 @@ int len ); /** - @brief Access control for getting file descriptor flags - @param cred Subject credential - @param fg Fileglob structure - @param label Policy label for fg - @param flags Requested flags - - Determine whether the subject identified by the credential can - get the specified flags for the fileglob structure represented by fg. - - @return Return 0 if access if granted, otherwise an appropriate - value for errno should be returned. -*/ -typedef int mpo_file_check_get_flags_t( - struct ucred *cred, - struct fileglob *fg, - struct label *label, - u_int flags -); -/** @brief Access control for getting the offset of a file descriptor @param cred Subject credential @param fg Fileglob structure @@ -746,25 +685,6 @@ struct label *label ); /** - @brief Access control for getting open file flags - @param cred Subject credential - @param fg Fileglob structure - @param label Policy label for fg - @param flags Requested flags - - Determine whether the subject identified by the credential can - get the open file flags for the fileglob structure represented by fg. - - @return Return 0 if access if granted, otherwise an appropriate - value for errno should be returned. -*/ -typedef int mpo_file_check_get_ofileflags_t( - struct ucred *cred, - struct fileglob *fg, - struct label *label, - char flags -); -/** @brief Access control for inheriting a file descriptor @param cred Subject credential @param fg Fileglob structure @@ -5123,15 +5043,11 @@ mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; mpo_devfs_label_init_t *mpo_devfs_label_init; mpo_devfs_label_update_t *mpo_devfs_label_update; - mpo_file_check_change_flags_t *mpo_file_check_change_flags; mpo_file_check_change_offset_t *mpo_file_check_change_offset; - mpo_file_check_change_ofileflags_t *mpo_file_check_change_ofileflags; mpo_file_check_create_t *mpo_file_check_create; mpo_file_check_dup_t *mpo_file_check_dup; mpo_file_check_fcntl_t *mpo_file_check_fcntl; - mpo_file_check_get_flags_t *mpo_file_check_get_flags; mpo_file_check_get_offset_t *mpo_file_check_get_offset; - mpo_file_check_get_ofileflags_t *mpo_file_check_get_ofileflags; mpo_file_check_get_t *mpo_file_check_get; mpo_file_check_inherit_t *mpo_file_check_inherit; mpo_file_check_ioctl_t *mpo_file_check_ioctl; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#45 (text+ko) ==== @@ -3146,43 +3146,6 @@ } static int -sebsd_file_check_get_flags(struct ucred *cred, struct fileglob *fg, - struct label *fglabel, u_int flags) -{ - - return (file_has_perm(cred, fg, fglabel, 0)); -} - -static int -sebsd_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg, - struct label *fglabel, char flags) -{ - - return (file_has_perm(cred, fg, fglabel, 0)); -} - -static int -sebsd_file_check_change_flags(struct ucred *cred, struct fileglob *fg, - struct label *fglabel, u_int oldflags, u_int newflags) -{ - u_int32_t av = 0; - - if ((newflags & O_APPEND) && !(oldflags & O_APPEND)) - av = FILE__WRITE; - - return (file_has_perm(cred, fg, fglabel, av)); -} - -static int -sebsd_file_check_change_ofileflags(struct ucred *cred, struct fileglob *fg, - struct label *fglabel, char oldflags, char newflags) -{ - - /* XXX - should set av to something */ - return (file_has_perm(cred, fg, fglabel, 0)); -} - -static int sebsd_file_check_get_offset(struct ucred *cred, struct fileglob *fg, struct label *fglabel) { @@ -3552,13 +3515,9 @@ .mpo_devfs_label_destroy = sebsd_vnode_label_destroy, .mpo_devfs_label_init = sebsd_vnode_label_init, .mpo_devfs_label_update = sebsd_devfs_update, - .mpo_file_check_change_flags = sebsd_file_check_change_flags, .mpo_file_check_change_offset = sebsd_file_check_change_offset, - .mpo_file_check_change_ofileflags = sebsd_file_check_change_ofileflags, .mpo_file_check_dup = sebsd_file_check_dup, - .mpo_file_check_get_flags = sebsd_file_check_get_flags, .mpo_file_check_get_offset = sebsd_file_check_get_offset, - .mpo_file_check_get_ofileflags = sebsd_file_check_get_ofileflags, .mpo_file_check_inherit = sebsd_file_check_receive, .mpo_file_check_ioctl = sebsd_file_check_ioctl, .mpo_file_check_lock = sebsd_file_check_lock,