Date: Fri, 24 Oct 2003 14:38:20 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 40437 for review Message-ID: <200310242138.h9OLcKIp025676@repoman.freebsd.org>
index | next in thread | raw e-mail
http://perforce.freebsd.org/chv.cgi?CH=40437 Change 40437 by rwatson@rwatson_tislabs on 2003/10/24 14:37:54 Flesh out the mount-related pieces in mac_vfs.c with local modifications from kern_mac.c in the SEBSD branch: - Add mac_init_mount_label(), mac_destroy_mount_label(), mac_copy_mount_label(), mac_externalize_mount_label(), mac_internalize_mount_label(). - Add mac_check_mount(), mac_check_umount(), mac_check_remount(). - Add optional mount label argument to mac_create_mount(). - Add credential to mac_create_devfs_device() for use with cloning. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#2 edit .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#2 (text+ko) ==== @@ -109,6 +109,9 @@ int mac_internalize_cred_label(struct label *label, char *string); void mac_relabel_cred(struct ucred *cred, struct label *newlabel); +int mac_externalize_mount_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen, int flags); +int mac_internalize_mount_label(struct label *label, char *string); void mac_copy_pipe_label(struct label *src, struct label *dest); void mac_destroy_pipe_label(struct label *label); ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#2 (text+ko) ==== @@ -110,12 +110,19 @@ } void +mac_init_mount_label(struct label *label) +{ + + mac_init_label(label); + MAC_PERFORM(init_mount_label, label); +} + +void mac_init_mount(struct mount *mp) { - mac_init_label(&mp->mnt_mntlabel); + mac_init_mount_label(&mp->mnt_mntlabel); mac_init_label(&mp->mnt_fslabel); - MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); MAC_DEBUG_COUNTER_INC(&nmacmounts); } @@ -146,13 +153,20 @@ } void +mac_destroy_mount_label(struct label *label) +{ + + MAC_PERFORM(destroy_mount_label, label); + mac_destroy_label(label); +} + +void mac_destroy_mount(struct mount *mp) { - MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); + mac_destroy_mount_label(&mp->mnt_mntlabel); MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); mac_destroy_label(&mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_mntlabel); MAC_DEBUG_COUNTER_DEC(&nmacmounts); } @@ -173,6 +187,13 @@ } void +mac_copy_mount_label(struct label *src, struct label *dest) +{ + + MAC_PERFORM(copy_mount_label, src, dest); +} + +void mac_copy_vnode_label(struct label *src, struct label *dest) { @@ -180,6 +201,17 @@ } int +mac_externalize_mount_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen, int flags) +{ + int error; + + MAC_EXTERNALIZE(mount_label, label, elements, outbuf, outbuflen); + + return (error); +} + +int mac_externalize_vnode_label(struct label *label, char *elements, char *outbuf, size_t outbuflen, int flags) { @@ -191,6 +223,16 @@ } int +mac_internalize_mount_label(struct label *label, char *string) +{ + int error; + + MAC_INTERNALIZE(mount_label, label, string); + + return (error); +} + +int mac_internalize_vnode_label(struct label *label, char *string) { int error; @@ -342,6 +384,47 @@ } int +mac_check_mount(struct ucred *cred, struct vnode *vp, const char *vfc_name, + struct label *mntlabel) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_mount, cred, vp, &vp->v_label, vfc_name, mntlabel); + + return (error); +} + +int +mac_check_umount(struct ucred *cred, struct mount *mp) +{ int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_umount, cred, mp, &mp->mnt_mntlabel); + + return (error); +} + +int +mac_check_remount(struct ucred *cred, struct mount *mp, + struct label *mount_arg_label) +{ + int error; + + if (!mac_enforce_fs) + return (0); + + MAC_CHECK(check_remount, cred, mp, &mp->mnt_mntlabel, + mount_arg_label); + + return (error); +} + +int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; @@ -853,11 +936,12 @@ } void -mac_create_mount(struct ucred *cred, struct mount *mp) +mac_create_mount(struct ucred *cred, struct mount *mp, + struct label *mount_arg_label) { MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); + &mp->mnt_fslabel, mount_arg_label); } void @@ -882,11 +966,11 @@ } void -mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de, - const char *fullpath) +mac_create_devfs_device(struct ucred *cred, struct mount *mp, dev_t dev, + struct devfs_dirent *de, const char *fullpath) { - MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label, + MAC_PERFORM(create_devfs_device, cred, mp, dev, de, &de->de_label, fullpath); }help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310242138.h9OLcKIp025676>