From owner-p4-projects Thu Aug 8 7:53:54 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 040A537B401; Thu, 8 Aug 2002 07:52:51 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5568137B400 for ; Thu, 8 Aug 2002 07:52:48 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A2C043E3B for ; Thu, 8 Aug 2002 07:52:47 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g78EqlJU046841 for ; Thu, 8 Aug 2002 07:52:47 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g78EqlN7046838 for perforce@freebsd.org; Thu, 8 Aug 2002 07:52:47 -0700 (PDT) Date: Thu, 8 Aug 2002 07:52:47 -0700 (PDT) Message-Id: <200208081452.g78EqlN7046838@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15682 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15682 Change 15682 by rwatson@rwatson_paprika on 2002/08/08 07:52:26 Push down the SLOT() mapping from the entry point implementations to the supporting functions (mac_te_check(), copy(), et al), simplifying the entry point implementations. Teach TE how to see a "null" TE label, which requests no update during a relabel operation. Allow null TE relabels without privilege so that relative label updates dealing only with other policies will function correctly. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#68 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#68 (text+ko) ==== @@ -506,11 +506,15 @@ } static int -mac_te_check(struct mac_te *subject, struct mac_te *object, int object_class, +mac_te_check(struct label *lsubject, struct label *lobject, int object_class, int operation) { + struct mac_te *subject, *object; int match; int rule; + + subject = SLOT(lsubject); + object = SLOT(lobject); if (!mac_te_enabled) return (0); @@ -549,11 +553,11 @@ } static void -mac_te_init_label_as(struct mac_te *telabel, char *type) +mac_te_init_label_as(struct mac_te *mac_te, char *type) { - bzero(&telabel->mt_type, MAC_TE_TYPE_MAXLEN+1); - strncpy(telabel->mt_type, type, MAC_TE_TYPE_MAXLEN); + bzero(&mac_te->mt_type, MAC_TE_TYPE_MAXLEN+1); + strncpy(mac_te->mt_type, type, MAC_TE_TYPE_MAXLEN); } static void @@ -564,18 +568,24 @@ } static void -mac_te_copy_label_teonly(const struct mac_te *labelfrom, - struct mac_te *labelto) +mac_te_copy_label_teonly(const struct mac_te *from, struct mac_te *to) { - bcopy(labelfrom, labelto, sizeof(*labelto)); + bcopy(from, to, sizeof(*to)); } static void -mac_te_copy_label(struct mac_te *tefrom, struct mac_te *teto) +mac_te_copy_label(const struct label *from, struct label *to) +{ + + mac_te_copy_label_teonly(SLOT(from), SLOT(to)); +} + +static int +mac_te_null_label(struct label *label) { - mac_te_copy_label_teonly(tefrom, teto); + return (strlen(SLOT(label)->mt_type) == 0); } static void @@ -596,15 +606,15 @@ mac_te_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { - mac_te_copy_label(SLOT(&cred_parent->cr_label), - SLOT(&cred_child->cr_label)); + mac_te_copy_label(&cred_parent->cr_label, &cred_child->cr_label); } static void mac_te_relabel_cred(struct ucred *cred, struct label *newlabel) { - mac_te_copy_label(SLOT(newlabel), SLOT(&cred->cr_label)); + if (!mac_te_null_label(newlabel)) + mac_te_copy_label(newlabel, &cred->cr_label); } static void @@ -612,7 +622,8 @@ struct label *ifnetlabel, struct label *newlabel) { - mac_te_copy_label(SLOT(newlabel), SLOT(ifnetlabel)); + if (!mac_te_null_label(newlabel)) + mac_te_copy_label(newlabel, ifnetlabel); } static int @@ -623,42 +634,43 @@ if (!mac_te_enabled) return (0); - return (mac_te_check(SLOT(bpflabel), SLOT(ifnetlabel), - MAC_TE_CLASS_BPF, MAC_TE_OPERATION_BPF_RECEIVE)); + return (mac_te_check(bpflabel, ifnetlabel, MAC_TE_CLASS_BPF, + MAC_TE_OPERATION_BPF_RECEIVE)); } static int mac_te_check_cred_relabel(struct ucred *cred, struct label *newlabel) { - int error, privilege_needed; - /* Allow no-op updates without privilege. */ - privilege_needed = 0; - if (!mac_te_equal(&cred->cr_label, newlabel)) - privilege_needed = 1; + /* Don't prevent relabel if no-op. */ + if (mac_te_null_label(newlabel)) + return (0); + if (mac_te_equal(&cred->cr_label, newlabel)) + return (0); - if (privilege_needed) { - error = suser_cred(cred, 0); - if (error) - return (error); - } - - return (0); + /* We should check the TE policy here, but instead we require root. */ + return (suser_cred(cred, 0)); } static int mac_te_check_cred_visible(struct ucred *u1, struct ucred *u2) { - return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label), - MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE)); + return (mac_te_check(&u1->cr_label, &u2->cr_label, MAC_TE_CLASS_PROC, + MAC_TE_OPERATION_PROC_SEE)); } static int mac_te_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, - struct label *newlabel) + struct label *ifnetlabel, struct label *newlabel) { + /* Don't prevent relabel if no-op. */ + if (mac_te_null_label(newlabel)) + return (0); + if (mac_te_equal(ifnetlabel, newlabel)) + return (0); + /* We should check the TE policy here, but instead we require root. */ return (suser_cred(cred, 0)); } @@ -672,8 +684,8 @@ * mbuf as an object. Since sockets are objects, this is * probably wrong. */ - return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel), - MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND)); + return (mac_te_check(ifnetlabel, mbuflabel, MAC_TE_CLASS_MBUF, + MAC_TE_OPERATION_MBUF_SEND)); } static int @@ -682,8 +694,8 @@ { int error; - error = mac_te_check(SLOT(&cred->cr_label), SLOT(mplabel), - MAC_TE_CLASS_FS, MAC_TE_OPERATION_FS_STATFS); + error = mac_te_check(&cred->cr_label, mplabel, MAC_TE_CLASS_FS, + MAC_TE_OPERATION_FS_STATFS); return (error); } @@ -712,40 +724,39 @@ mac_te_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { - int error; - error = suser_cred(cred, 0); - if (error) - return (error); + /* Don't prevent relabel if no-op. */ + if (mac_te_null_label(newlabel)) + return (0); + if (mac_te_equal(newlabel, pipelabel)) + return (0); - return (0); + /* We should check the TE policy here, but instead we require root. */ + return (suser_cred(cred, 0)); } static int mac_te_check_proc_debug(struct ucred *cred, struct proc *proc) { - return (mac_te_check(SLOT(&cred->cr_label), - SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, - MAC_TE_OPERATION_PROC_DEBUG)); + return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label, + MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_DEBUG)); } static int mac_te_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { - return (mac_te_check(SLOT(&cred->cr_label), - SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, - MAC_TE_OPERATION_PROC_SIGNAL)); + return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label, + MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SIGNAL)); } static int mac_te_check_proc_sched(struct ucred *cred, struct proc *proc) { - return (mac_te_check(SLOT(&cred->cr_label), - SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, - MAC_TE_OPERATION_PROC_SCHED)); + return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label, + MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SCHED)); } static int @@ -756,7 +767,7 @@ if (!mac_te_enabled) return (0); - return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + return (mac_te_check(&cred->cr_label, socketlabel, MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND)); } @@ -768,7 +779,7 @@ if (!mac_te_enabled) return (0); - return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + return (mac_te_check(&cred->cr_label, socketlabel, MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_CONNECT)); } @@ -780,7 +791,7 @@ if (!mac_te_enabled) return (0); - return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + return (mac_te_check(&cred->cr_label, socketlabel, MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_LISTEN)); } @@ -789,21 +800,23 @@ struct mbuf *m, struct label *mbuflabel) { - return (mac_te_check(SLOT(socketlabel), SLOT(mbuflabel), - MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE)); + return (mac_te_check(socketlabel, mbuflabel, MAC_TE_CLASS_MBUF, + MAC_TE_OPERATION_MBUF_RECEIVE)); } static int mac_te_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { - int error; - error = suser_cred(cred, 0); - if (error) - return (error); + /* Don't prevent relabel if no-op. */ + if (mac_te_null_label(newlabel)) + return (0); + if (mac_te_equal(newlabel, socketlabel)) + return (0); - return (0); + /* We should check the TE policy here, but instead we require root. */ + return (suser_cred(cred, 0)); } static int @@ -811,7 +824,7 @@ struct label *socketlabel) { - return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + return (mac_te_check(&cred->cr_label, socketlabel, MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE)); } @@ -831,21 +844,22 @@ struct label *bdlabel) { - mac_te_copy_label(SLOT(&cred->cr_label), SLOT(bdlabel)); + mac_te_copy_label(&cred->cr_label, bdlabel); } static void mac_te_create_object(struct ucred *cred, struct label *label) { - mac_te_copy_label(SLOT(&cred->cr_label), SLOT(label)); + mac_te_copy_label(&cred->cr_label, label); } static void -mac_te_create_object_from_object(struct label *oldlabel, struct label *newlabel) +mac_te_create_object_from_object(struct label *oldlabel, + struct label *newlabel) { - mac_te_copy_label(SLOT(oldlabel), SLOT(newlabel)); + mac_te_copy_label(oldlabel, newlabel); } static void @@ -853,7 +867,7 @@ struct mbuf *datagram, struct label *datagramlabel) { - mac_te_copy_label(SLOT(ipqlabel), SLOT(datagramlabel)); + mac_te_copy_label(ipqlabel, datagramlabel); } static void @@ -862,7 +876,7 @@ { mac_te_init_label(SLOT(fragmentlabel)); - mac_te_copy_label(SLOT(datagramlabel), SLOT(fragmentlabel)); + mac_te_copy_label(datagramlabel, fragmentlabel); } static void @@ -870,7 +884,7 @@ struct mbuf *ipq, struct label *ipqlabel) { - mac_te_copy_label(SLOT(fragmentlabel), SLOT(ipqlabel)); + mac_te_copy_label(fragmentlabel, ipqlabel); } static void @@ -879,7 +893,7 @@ struct label *newmbuflabel) { - mac_te_copy_label(SLOT(oldmbuflabel), SLOT(newmbuflabel)); + mac_te_copy_label(oldmbuflabel, newmbuflabel); } static void @@ -895,7 +909,7 @@ struct mbuf *m, struct label *mlabel) { - mac_te_copy_label(SLOT(iflabel), SLOT(mlabel)); + mac_te_copy_label(iflabel, mlabel); } static void @@ -904,7 +918,7 @@ struct mbuf *newmbuf, struct label *nmblabel) { - mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel)); + mac_te_copy_label(oldmblabel, nmblabel); } static void @@ -912,7 +926,7 @@ struct mbuf *newmbuf, struct label *nmblabel) { - mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel)); + mac_te_copy_label(oldmblabel, nmblabel); } static int @@ -928,7 +942,7 @@ struct mbuf *m, struct label *mlabel) { - mac_te_copy_label(SLOT(solabel), SLOT(mlabel)); + mac_te_copy_label(solabel, mlabel); } static void @@ -962,7 +976,8 @@ struct label *oldlabel, struct label *newlabel) { - mac_te_copy_label(SLOT(newlabel), SLOT(oldlabel)); + if (!mac_te_null_label(newlabel)) + mac_te_copy_label(newlabel, oldlabel); } static void @@ -970,7 +985,8 @@ struct label *pipelabel, struct label *newlabel) { - mac_te_copy_label(SLOT(newlabel), SLOT(pipelabel)); + if (!mac_te_null_label(newlabel)) + mac_te_copy_label(newlabel, pipelabel); } static void @@ -978,7 +994,7 @@ struct socket *socket, struct label *sopeerlabel) { - mac_te_copy_label(SLOT(mlabel), SLOT(sopeerlabel)); + mac_te_copy_label(mlabel, sopeerlabel); } static void @@ -987,7 +1003,7 @@ struct label *newpeerlabel) { - mac_te_copy_label(SLOT(oldlabel), SLOT(newpeerlabel)); + mac_te_copy_label(oldlabel, newpeerlabel); } static void @@ -995,7 +1011,7 @@ struct mbuf *mbuf, struct label *mblabel) { - mac_te_copy_label(SLOT(bdlabel), SLOT(mblabel)); + mac_te_copy_label(bdlabel, mblabel); } static void @@ -1019,10 +1035,11 @@ static void mac_te_relabel_vnode(struct ucred *cred, struct vnode *vp, - struct label *vnodelabel, struct label *label) + struct label *vnodelabel, struct label *newlabel) { - mac_te_copy_label(SLOT(label), SLOT(vnodelabel)); + if (!mac_te_null_label(newlabel)) + mac_te_copy_label(newlabel, vnodelabel); } @@ -1078,7 +1095,7 @@ struct vnode *vp, struct label *vnodelabel) { - mac_te_copy_label(SLOT(direntlabel), SLOT(vnodelabel)); + mac_te_copy_label(direntlabel, vnodelabel); } static void @@ -1102,8 +1119,8 @@ struct label *dlabel) { - return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHDIR)); + return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_CHDIR)); } static int @@ -1111,8 +1128,8 @@ struct label *dlabel) { - return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_CHROOT)); + return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_CHROOT)); } static int @@ -1120,8 +1137,8 @@ struct label *dlabel, struct componentname *cnp, struct vattr *vap) { - return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE)); + return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_WRITE)); } static int @@ -1131,19 +1148,19 @@ { int error; - error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE); + error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_WRITE); if (error) return (error); switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_DELETE)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE)); } } @@ -1155,13 +1172,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETEACL)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_DELETEACL)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETEACL)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETEACL)); } } @@ -1171,8 +1188,8 @@ struct label *label) { - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, + MAC_TE_OPERATION_FILE_EXEC)); } static int @@ -1182,13 +1199,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_GETACL)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_GETACL)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETACL)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETACL)); } } @@ -1200,13 +1217,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_GETEXTATTR)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR)); } } @@ -1216,30 +1233,26 @@ struct label *dlabel, struct componentname *cnp) { - return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP)); + return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_LOOKUP)); } static vm_prot_t mac_te_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) { - struct mac_te *subj, *obj; vm_prot_t prot = 0; if (!mac_te_enabled || (!mac_te_revocation_enabled && !newmapping)) return (VM_PROT_ALL); - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_READ) == 0) prot |= VM_PROT_READ; - if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC) == 0) prot |= VM_PROT_EXECUTE; - if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + if (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_WRITE) == 0) prot |= VM_PROT_WRITE; return (prot); @@ -1249,12 +1262,9 @@ mac_te_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) { - struct mac_te *subj, *obj; int object_class, operation; int error; - subj = SLOT(&cred->cr_label); - obj = SLOT(filelabel); /* * Treat all vnode types as files, for the time being, except * for directories. @@ -1277,7 +1287,8 @@ default: panic("mac_te_vaccess: invalid object_class"); } - error = mac_te_check(subj, obj, object_class, operation); + error = mac_te_check(&cred->cr_label, filelabel, object_class, + operation); if (error) return (error); } @@ -1292,7 +1303,8 @@ default: panic("mac_te_vaccess: invalid object_class"); } - error = mac_te_check(subj, obj, object_class, operation); + error = mac_te_check(&cred->cr_label, filelabel, object_class, + operation); if (error) return (error); } @@ -1307,7 +1319,8 @@ default: panic("mac_te_vaccess: invalid object_class"); } - error = mac_te_check(subj, obj, object_class, operation); + error = mac_te_check(&cred->cr_label, filelabel, object_class, + operation); if (error) return (error); } @@ -1318,16 +1331,12 @@ mac_te_check_vnode_poll(struct ucred *active_cred, struct ucred *saved_cred, struct vnode *vp, struct label *label) { - struct mac_te *subj, *obj; int error; if (!mac_te_revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); - obj = SLOT(label); - - error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_POLL); return (error); @@ -1337,16 +1346,12 @@ mac_te_check_vnode_read(struct ucred *active_cred, struct ucred *saved_cred, struct vnode *vp, struct label *label) { - struct mac_te *subj, *obj; int error; if (!mac_te_revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); - obj = SLOT(label); - - error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_READ); return (error); @@ -1356,12 +1361,8 @@ mac_te_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - struct mac_te *subj, *obj; - subj = SLOT(&cred->cr_label); - obj = SLOT(dlabel); - - return (mac_te_check(subj, obj, MAC_TE_CLASS_DIR, + return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_READDIR)); } @@ -1369,33 +1370,24 @@ mac_te_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { - struct mac_te *subj, *obj; - subj = SLOT(&cred->cr_label); - obj = SLOT(vnodelabel); - - return (mac_te_check(subj, obj, MAC_TE_CLASS_SYMLINK, - MAC_TE_OPERATION_SYMLINK_READLINK)); + return (mac_te_check(&cred->cr_label, vnodelabel, + MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_READLINK)); } static int mac_te_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *oldlabel, struct label *newlabel) { - int error, privilege_needed; - /* Allow no-op updates without privilege. */ - privilege_needed = 0; - if (!mac_te_equal(&cred->cr_label, newlabel)) - privilege_needed = 1; + /* Don't prevent relabel if no-op. */ + if (mac_te_null_label(newlabel)) + return (0); + if (mac_te_equal(&cred->cr_label, newlabel)) + return (0); - if (privilege_needed) { - error = suser_cred(cred, 0); - if (error) - return (error); - } - - return (0); + /* We should check the TE policy here, but instead we require root. */ + return (suser_cred(cred, 0)); } static int @@ -1403,8 +1395,8 @@ struct label *label) { - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, + MAC_TE_OPERATION_FILE_ADMIN)); } static int @@ -1414,13 +1406,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETACL)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_SETACL)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_SETACL)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETACL)); } } @@ -1432,10 +1424,10 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETEXTATTR)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_SETEXTATTR)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETEXTATTR)); } } @@ -1447,13 +1439,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_ADMIN)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN)); } } @@ -1465,13 +1457,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_ADMIN)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN)); } } @@ -1483,13 +1475,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_ADMIN)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN)); } } @@ -1501,13 +1493,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_ADMIN)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_ADMIN)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_ADMIN)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN)); } } @@ -1519,20 +1511,20 @@ { int error; - error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE); + error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_WRITE); if (error) return (error); /* Not really correct. */ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_DELETE)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE)); } } @@ -1544,20 +1536,20 @@ { int error; - error = mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_WRITE); + error = mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_WRITE); if (error || label == NULL || vp == NULL) return (error); /* Not really correct. */ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_DELETE)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_DELETE)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_DELETE)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_DELETE)); } } @@ -1569,13 +1561,13 @@ switch (vp->v_type) { case VDIR: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), - MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_STAT)); + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, + MAC_TE_OPERATION_DIR_STAT)); case VLNK: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_SYMLINK, MAC_TE_OPERATION_SYMLINK_STAT)); default: - return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_STAT)); } } @@ -1584,16 +1576,12 @@ mac_te_check_vnode_write(struct ucred *active_cred, struct ucred *saved_cred, struct vnode *vp, struct label *label) { - struct mac_te *subj, *obj; int error; if (!mac_te_revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); - obj = SLOT(label); - - error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + error = mac_te_check(&active_cred->cr_label, label, MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_WRITE); return (error); @@ -1628,7 +1616,7 @@ } } - mac_te_copy_label(SLOT(&old->cr_label), SLOT(&new->cr_label)); + mac_te_copy_label(&old->cr_label, &new->cr_label); } static int @@ -1656,7 +1644,7 @@ struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { - mac_te_copy_label(SLOT(vnodelabel), SLOT(direntlabel)); + mac_te_copy_label(vnodelabel, direntlabel); } >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message